Do Son 
In the critical infrastructure of the internet, OpenSSH stands as one of the most vital gatekeepers for secure remote access. However, even the most trusted tools require constant refinement. A series of newly patched vulnerabilities—ranging from minor logic errors to potential command execution—has highlighted the need for administrators to keep their SSH stacks up to date.
The most concerning vulnerability in this batch is CVE-2026-35386 (CVSS 3.6). This flaw involves the improper validation of shell metacharacters in usernames supplied via the command line.
The danger arises when these unvalidated names are expanded from %-tokens in an ssh_config file—specifically in configurations using a %u token within a Match exec block. In these scenarios, an attacker who can control the username passed to the ssh command could potentially execute arbitrary shell commands on the client system.
For those relying on legacy file transfers, CVE-2026-35385 (CVSS 7.5) addresses a behavioral oversight in scp. When downloading files as the root user in the legacy (-O) mode without the -p (preserve modes) flag, the utility was found to be failing to clear setuid/setgid bits from the downloaded files.
While this might seem like a minor detail, failing to strip these bits can lead to unintended privilege escalation if a malicious file is downloaded and subsequently executed by another user.
OpenSSH has also addressed a logic error in how it handles SSH certificates. CVE-2026-35414 (CVSS 4.2) involves an incorrect algorithm used when matching an authorized_keys principals=”” option against the list of principals encoded in a certificate.
This flaw could allow “inappropriate matching” if a principal name in the certificate contains a comma character. Exploiting this requires a very specific setup:
- An authorized_keys file that lists multiple principals.
- A Certificate Authority (CA) willing to issue a certificate with principal names separated by commas—a practice most typical CAs strictly avoid.
Rounding out the updates are two fixes for more technical operational flaws:
- ECDSA Algorithm Enforcement (CVE-2026-35387): Previously, if a configuration directive like PubkeyAcceptedAlgorithms contained any specific ECDSA algorithm name (e.g., ecdsa-sha2-nistp384), the system would mistakenly accept any other ECDSA algorithm, even if it wasn’t listed.
- Multiplexing Bypasses (CVE-2026-35388): A flaw where connection multiplexing confirmations (requested via ControlMaster ask) were not being properly tested for proxy mode sessions.
These flaws were fixed in OpenSSH 10.3.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
