SB2026061206 - SUSE update for openssh
Published: June 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Resource management error (CVE-ID: CVE-2026-3497)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect handling of disconnecting clients in OpenSSH GSSAPI Key Exchange when GSSAPIKeyExchange setting is enabled. An authenticated user can crash the OpenSSH server or potentially execute arbitrary code.
2) Improper privilege management (CVE-ID: CVE-2026-35385)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to create files with unintended setuid or setgid bits.
The vulnerability exists due to improper privilege management in scp(1) when downloading files in legacy (-O) mode as root without the -p flag set. A local privileged user can download a file with crafted mode bits to create files with unintended setuid or setgid bits.
The issue occurs only in legacy mode and only when files are downloaded as root without preserving modes.
3) Improper Authorization (CVE-ID: CVE-2026-35388)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass connection multiplexing confirmation.
The vulnerability exists due to improper access control in ssh(1) when handling proxy mode multiplexing sessions requested with ssh -O proxy under ControlMaster ask or autoask. A local user can initiate a proxy mode multiplexing session to bypass connection multiplexing confirmation.
The issue is limited to proxy mode multiplexing sessions.
4) Improper access control (CVE-ID: CVE-2026-35414)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass principal restrictions in certificate-based authentication.
The vulnerability exists due to improper access control in sshd(8) when matching an authorized_keys principals="" option against a list of principals in a certificate. A remote user can present a specially crafted certificate to bypass principal restrictions in certificate-based authentication.
This condition only affects user-trusted CA keys in authorized_keys and requires multiple principals to be listed, including a certificate principal containing a comma character.
Remediation
Install update from vendor's website.