CVE-2026-35387 — Always-Incorrect Control Flow Implementation in Openssh

CWE-670 — Always-Incorrect Control Flow Implementation CWE-115 — Misinterpretation of Input9 documents8 sources

Severity

3.1LOWNVD

EPSS

0.0%

top 91.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh

Timeline

PublishedApr 2

Latest updateApr 3

Description

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5openbsd/openssh< 10.3

🔴Vulnerability Details

OSV

CVE-2026-35387: (OpenSSH before 10↗2026-04-03

▶

OSV

CVE-2026-35387: OpenSSH before 10↗2026-04-02

▶

CVEList

CVE-2026-35387: OpenSSH before 10↗2026-04-02

▶

GHSA

GHSA-hpxh-vgmp-3qp6: OpenSSH before 10↗2026-04-02

▶

📋Vendor Advisories

Red Hat

OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage↗2026-04-02

▶

Microsoft

CVE-2026-35387: Mariner: Mariner mitre: mitre Customer Action Required: Yes↗2026-04-02

▶

Debian

CVE-2026-35387: openssh - OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA al...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35387 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶