TL;DR
OpenSSH 10.4 landed on July 6 with eight security fixes. The most serious is a client-side use-after-free, CVE-2026-60002, scored 7.7. Most other issues involve file transfers and server hardening.
Why it matters
OpenSSH carries most SSH traffic across the internet. So even small flaws reach a huge install base. Servers you download from deserve extra caution. The client use-after-free triggers when a server swaps its host key mid-handshake. A malicious server could abuse that to crash or disrupt a client. Two file-transfer bugs also let a rogue server drop files in the wrong place. These security fixes therefore matter to admins everywhere.
How the attack works
Client-side risks
CVE-2026-60002 is a use-after-free on the SSH client. It fires when a server changes its host key during key re-exchange. In sftp, CVE-2026-59995 can steer a download to an unexpected path. In scp, CVE-2026-59996 can write a file into a parent directory. Both bugs need an attacker-controlled server. A patched client simply rejects that bad key swap.
Server-side hardening
Several sshd fixes tighten weak defaults. CVE-2026-60001 restores the minimum authentication delay. CVE-2026-59999 makes DisableForwarding override PermitTunnel. CVE-2026-60000 curbs a GSSAPI denial-of-service path. Two more fixes correct internal-sftp argument limits and a GSSAPI check. Admins gain safer defaults with no config change.
Affected versions
All eight flaws affect OpenSSH before 10.4. Version 10.4, also tagged 10.4p1, fixes them. So older 10.x and 9.x builds are all in scope.
Exploitation status
So far, no public exploit or in-the-wild abuse has appeared. OpenSSH does not rate these in its notes, and several are hardening steps.
Patch and mitigation
Upgrade to OpenSSH 10.4 as soon as your distro ships it. The full changes appear in the 10.4 release notes. Until then, connect only to trusted SFTP and SCP servers. Also review your sshd config after the upgrade.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.