CVE-2026-35388: Connection Multiplexing in OpenSSH

The core of this vulnerability lies in the handling of multiplexed connections within OpenSSH's proxy-mode. Proxy-mode allows SSH clients to forward connections through an intermediary server. CVE-2026-35388 arises because OpenSSH doesn't properly confirm the establishment of these multiplexed connections. An attacker could potentially craft malicious connection requests that bypass this confirmation process. While a full compromise isn't likely, the attacker could disrupt existing connections or prevent new connections from being established, leading to denial-of-service-like effects for users relying on the SSH proxy. The blast radius is limited to users and systems utilizing the affected OpenSSH proxy functionality. There's no immediate evidence of data exfiltration or remote code execution associated with this specific vulnerability.

1. Reserved2026-04-02
2. Published2026-04-02
3. EPSS updated2026-04-10

The primary mitigation for CVE-2026-35388 is upgrading OpenSSH to version 10.3 or later. Before upgrading, it's crucial to test the upgrade in a non-production environment to ensure compatibility with existing configurations and applications. If a direct upgrade to 10.3 is not feasible due to compatibility issues, consider implementing temporary workarounds such as stricter firewall rules to limit inbound connections to the SSH proxy server, restricting access to trusted IP addresses. While a WAF or proxy cannot directly patch the vulnerability, they can help mitigate the impact by filtering malicious connection attempts. After upgrading to OpenSSH 10.3, verify the fix by attempting to establish a multiplexed connection through the proxy and confirming that the connection confirmation process functions as expected.