Platform
linux
Component
openssh
Opgelost in
10.3
CVE-2026-35388 affects OpenSSH versions before 10.3. This vulnerability involves a lack of confirmation for multiplexing connections when using proxy-mode sessions. While the severity is rated as LOW, a successful exploit could lead to disruption of SSH connections, potentially impacting system access and data transfer. The vulnerability is resolved in OpenSSH version 10.3.
The core of this vulnerability lies in the handling of multiplexed connections within OpenSSH's proxy-mode. Proxy-mode allows SSH clients to forward connections through an intermediary server. CVE-2026-35388 arises because OpenSSH doesn't properly confirm the establishment of these multiplexed connections. An attacker could potentially craft malicious connection requests that bypass this confirmation process. While a full compromise isn't likely, the attacker could disrupt existing connections or prevent new connections from being established, leading to denial-of-service-like effects for users relying on the SSH proxy. The blast radius is limited to users and systems utilizing the affected OpenSSH proxy functionality. There's no immediate evidence of data exfiltration or remote code execution associated with this specific vulnerability.
CVE-2026-35388 was published on April 2, 2026. The CVSS score of 2.5 indicates a low probability of exploitation. There are currently no publicly available proof-of-concept exploits for this vulnerability. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Given the low CVSS score and lack of public exploits, the current exploitation probability is considered low.
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-35388 is upgrading OpenSSH to version 10.3 or later. Before upgrading, it's crucial to test the upgrade in a non-production environment to ensure compatibility with existing configurations and applications. If a direct upgrade to 10.3 is not feasible due to compatibility issues, consider implementing temporary workarounds such as stricter firewall rules to limit inbound connections to the SSH proxy server, restricting access to trusted IP addresses. While a WAF or proxy cannot directly patch the vulnerability, they can help mitigate the impact by filtering malicious connection attempts. After upgrading to OpenSSH 10.3, verify the fix by attempting to establish a multiplexed connection through the proxy and confirming that the connection confirmation process functions as expected.
Actualice OpenSSH a la versión 10.3 o superior. Esto solucionará la omisión de la confirmación de multiplexación de conexión para las sesiones de multiplexación en modo proxy.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a vulnerability in OpenSSH versions before 10.3 where connection multiplexing confirmation is missing in proxy-mode sessions, potentially disrupting connections.
If you are running OpenSSH versions 0.0 through 10.2, you are potentially affected. Check your OpenSSH version and upgrade if necessary.
Upgrade OpenSSH to version 10.3 or later. Test the upgrade in a non-production environment first.
Currently, there are no publicly known exploits or active campaigns targeting this vulnerability.
Refer to the official NVD entry for CVE-2026-35388 and the OpenSSH security advisories for detailed information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.