SB2026051344 - Anolis OS update for openssh



SB2026051344 - Anolis OS update for openssh

Published: May 13, 2026

Security Bulletin ID SB2026051344
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Resource management error (CVE-ID: CVE-2026-3497)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of disconnecting clients in OpenSSH GSSAPI Key Exchange when GSSAPIKeyExchange setting is enabled. An authenticated user can crash the OpenSSH server or potentially execute arbitrary code.


2) Improper privilege management (CVE-ID: CVE-2026-35385)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to create files with unintended setuid or setgid bits.

The vulnerability exists due to improper privilege management in scp(1) when downloading files in legacy (-O) mode as root without the -p flag set. A local privileged user can download a file with crafted mode bits to create files with unintended setuid or setgid bits.

The issue occurs only in legacy mode and only when files are downloaded as root without preserving modes.


3) Improper access control (CVE-ID: CVE-2026-35387)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass configured public key algorithm restrictions.

The vulnerability exists due to improper access control in sshd(8) when applying PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms to ECDSA keys. A remote user can authenticate using an unlisted ECDSA algorithm to bypass configured public key algorithm restrictions.

The issue occurs when one of these directives includes any ECDSA algorithm name.


Remediation

Install update from vendor's website.