CVE‑2026‑3497: OpenSSH GSSAPI Flaw Crashes Child Processes and Breaks Privilege Separation

March 13, 2026 Faeem BLOGS 0

A newly disclosed vulnerability in OpenSSH’s GSSAPI Key Exchange patch threatens the stability and security of Linux systems running GSSAPI‑enabled SSH servers. Tracked as CVE‑2026‑3497, the flaw allows attackers to reliably crash SSH child processes and potentially violate privilege separation boundaries — all with a single crafted packet.

Root Cause

  • Location: kexgsss.c, the server‑side GSSAPI key exchange handler.
  • Bug: The non‑terminating function sshpkt_disconnect() was mistakenly used instead of ssh_packet_disconnect().
  • Impact: Execution continues after error handling, leading to use of an uninitialized stack variable (recv_tok).
  • Result: Garbage values are sent to the privileged monitor process, which may call free() on invalid pointers, causing heap corruption.

Exploitation Details

  • Trigger: A single crafted SSH packet (~300 bytes).
  • No credentials required: Exploitation possible without authentication.
  • Reliability: Child process crashes are 100% reproducible in tested builds.
  • Privilege separation violation: Up to 127KB of heap data can be transmitted to the root‑level monitor process.
  • Compiler variance: Severity differs across distributions depending on compiler flags (Clang vs GCC).

Affected Systems

  • Confirmed impact on Ubuntu and Debian OpenSSH servers with GSSAPIKeyExchange yes enabled.
  • Broader scope likely, as multiple versions of the GSSAPI KEX patch circulate across Linux distributions.

Mitigation & Fix

  • Patch available: Ubuntu has already prepared a fix.
  • Manual remediation: Replace all three instances of sshpkt_disconnect() with ssh_packet_disconnect() in kexgsss.c.
  • Temporary mitigation: Disable GSSAPI key exchange (GSSAPIKeyExchange no) until patches are applied.
  • Immediate action: Apply distribution updates as soon as they are released.

Final Thought

CVE‑2026‑3497 is a reminder that even a one‑line defect in widely deployed code can have systemic consequences. With OpenSSH underpinning secure remote access across millions of servers, administrators must act quickly: patch or disable GSSAPI key exchange to prevent exploitation. In the world of privilege separation, small coding errors can open big security holes.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.