CVE-2026-3497 — Use of Uninitialized Resource in Openssh
CWE-908 — Use of Uninitialized ResourceCWE-824 — Access of Uninitialized Pointer12 documents9 sources
Severity
6.9MEDIUMNVD
OSV3.6
EPSS
0.0%
top 89.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 12
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program with…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Affected Packages3 packages
🔴Vulnerability Details
5GHSA▶
GHSA-wcpp-3x59-h8vp: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions↗2026-03-12
OSV▶
CVE-2026-3497: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions↗2026-03-12
CVEList▶
CVE-2026-3497: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions↗2026-03-12
📋Vendor Advisories
4🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-3497 openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables↗2026-03-12