Plattform
linux
Komponente
openssh
Behoben in
10.3
CVE-2026-35387 affects OpenSSH versions prior to 10.3. This vulnerability arises from a misinterpretation of ECDSA algorithm listings within the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms configurations. Consequently, an attacker could potentially influence the ECDSA algorithms used during authentication, potentially weakening security controls. The vulnerability is resolved in OpenSSH 10.3.
The core of the vulnerability lies in OpenSSH's handling of ECDSA algorithm specifications. Normally, these configuration directives are intended to restrict the ECDSA algorithms that clients are permitted to use for authentication. However, CVE-2026-35387 reveals that listing any ECDSA algorithm in these directives is interpreted as allowing all ECDSA algorithms. This means an attacker could potentially specify an unusual or less secure ECDSA algorithm during the authentication process, bypassing intended restrictions. While the CVSS score is LOW, the potential for bypassing authentication controls warrants attention. The impact is primarily related to authentication bypass, potentially enabling unauthorized access to systems protected by OpenSSH. The blast radius is limited to systems directly relying on OpenSSH for authentication, but the widespread use of OpenSSH means many systems could be affected. There are no immediate reports of this vulnerability being actively exploited, but the potential for exploitation exists if attackers discover and leverage this misconfiguration.
CVE-2026-35387 was published on April 2, 2026. Its CVSS score is LOW, indicating a relatively low probability of exploitation. There are currently no publicly available proof-of-concept (POC) exploits. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, and EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35387 is to upgrade to OpenSSH version 10.3 or later, which contains the fix. If upgrading immediately is not feasible, consider reviewing your PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms configurations. Avoid listing any ECDSA algorithms in these directives unless absolutely necessary. If specific ECDSA algorithms must be allowed, ensure you are explicitly listing only those algorithms and not relying on wildcard or broad specifications. While a WAF or proxy cannot directly mitigate this vulnerability, ensuring strict authentication policies and regularly auditing OpenSSH configurations can help detect and prevent potential exploitation. Detection signatures (Sigma/YARA) would likely focus on identifying unusual ECDSA algorithm selections during authentication attempts. After upgrading, confirm the fix by attempting to authenticate with a client using an ECDSA algorithm not explicitly listed in the configuration; authentication should fail.
Actualice OpenSSH a la versión 10.3 o posterior. Esto corregirá la interpretación incorrecta de los algoritmos ECDSA en las configuraciones PubkeyAcceptedAlgorithms o HostbasedAcceptedAlgorithms.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a vulnerability in OpenSSH where the software incorrectly handles ECDSA algorithm specifications, potentially allowing unintended algorithms to be used during authentication.
If you are running OpenSSH versions 0.0 through 10.2, you are potentially affected. Upgrade to version 10.3 or later to mitigate the risk.
The recommended fix is to upgrade to OpenSSH version 10.3 or later. If immediate upgrade is not possible, restrict ECDSA algorithms in your configuration.
As of now, there are no publicly known exploits or active campaigns targeting this vulnerability, but proactive patching is still recommended.
Refer to the official OpenSSH security advisory and the NVD (National Vulnerability Database) entry for CVE-2026-35387 for detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.