SB2026042990 - Ubuntu update for openssh

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042990

SB2026042990 - Ubuntu update for openssh

Published: April 29, 2026

Security Bulletin ID SB2026042990
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper privilege management (CVE-ID: CVE-2026-35385)

The vulnerability allows a local privileged user to create files with unintended setuid or setgid bits.

The vulnerability exists due to improper privilege management in scp(1) when downloading files in legacy (-O) mode as root without the -p flag set. A local privileged user can download a file with crafted mode bits to create files with unintended setuid or setgid bits.

The issue occurs only in legacy mode and only when files are downloaded as root without preserving modes.


2) Input validation error (CVE-ID: CVE-2026-35386)

The vulnerability allows a local user to execute arbitrary shell commands.

The vulnerability exists due to improper input validation in ssh(1) when expanding %-tokens from ssh_config using a user name supplied on the command-line. A local user can supply a specially crafted user name to execute arbitrary shell commands.

Exploitation requires a configuration that uses the %u token in a Match exec block.


3) Improper access control (CVE-ID: CVE-2026-35387)

The vulnerability allows a remote user to bypass configured public key algorithm restrictions.

The vulnerability exists due to improper access control in sshd(8) when applying PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms to ECDSA keys. A remote user can authenticate using an unlisted ECDSA algorithm to bypass configured public key algorithm restrictions.

The issue occurs when one of these directives includes any ECDSA algorithm name.


4) Improper Authorization (CVE-ID: CVE-2026-35388)

The vulnerability allows a local user to bypass connection multiplexing confirmation.

The vulnerability exists due to improper access control in ssh(1) when handling proxy mode multiplexing sessions requested with ssh -O proxy under ControlMaster ask or autoask. A local user can initiate a proxy mode multiplexing session to bypass connection multiplexing confirmation.

The issue is limited to proxy mode multiplexing sessions.


5) Improper access control (CVE-ID: CVE-2026-35414)

The vulnerability allows a remote user to bypass principal restrictions in certificate-based authentication.

The vulnerability exists due to improper access control in sshd(8) when matching an authorized_keys principals="" option against a list of principals in a certificate. A remote user can present a specially crafted certificate to bypass principal restrictions in certificate-based authentication.

This condition only affects user-trusted CA keys in authorized_keys and requires multiple principals to be listed, including a certificate principal containing a comma character.


Remediation

Install update from vendor's website.

References