SB20260715100 - Ubuntu update for openssh



SB20260715100 - Ubuntu update for openssh

Published: July 15, 2026

Security Bulletin ID SB20260715100
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Path traversal (CVE-ID: CVE-2026-59995)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to write files to an unexpected location.

The vulnerability exists due to improper path restriction in sftp(1) when downloading files on the command line using a remote path and a local dot destination. A remote attacker can operate a malicious server to write files to an unexpected location.



2) Path traversal (CVE-ID: CVE-2026-59996)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to write files outside the intended target directory.

The vulnerability exists due to improper path restriction in scp(1) when copying files between two remote destinations. A remote attacker can operate a malicious server to write files outside the intended target directory.


3) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-59997)

CWE-ID: CWE-88 - Argument Injection or Modification

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass security-relevant SFTP server options.

The vulnerability exists due to improper input handling in the internal-sftp SFTP server implementation when processing long command lines. A remote privileged user can supply a command line with security-relevant options placed after the ninth argument to bypass security-relevant SFTP server options.

Only configurations using the internal-sftp SFTP server implementation are affected.


4) Configuration (CVE-ID: CVE-2026-59998)

CWE-ID: CWE-16 - Configuration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The issue may allow a remote user to bypass implemented security restrictions.

The issue exists due to the the application has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. A remote user can bypass implemented security restriction. 


5) Improper access control (CVE-ID: CVE-2026-59999)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to enable tunneling despite forwarding restrictions.

The vulnerability exists due to improper access control in sshd(8) when DisableForwarding=yes and PermitTunnel=yes are configured together. A remote privileged user can use tunneling despite forwarding restrictions to enable tunneling despite forwarding restrictions.

Exploitation requires configurations where PermitTunnel is enabled.


6) Resource exhaustion (CVE-ID: CVE-2026-60000)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource handling in sshd(8) when processing pre-authentication GSSAPI requests. A remote attacker can send crafted authentication attempts to cause a denial of service.

Only configurations with GSSAPIAuthentication enabled are affected.


7) Protection mechanism failure (CVE-ID: CVE-2026-60001)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to weaken authentication rate limiting.

The vulnerability exists due to improper enforcement of security policy in sshd(8) when handling authentication attempts. A remote attacker can send authentication attempts to weaken authentication rate limiting.

The issue affects cases where the minimum authentication delay was not enforced.


8) Use-after-free (CVE-ID: CVE-2026-60002)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a client-side denial of service.

The vulnerability exists due to use-after-free in ssh(1) when processing a host key change during key reexchange. A remote attacker can change its host key during key reexchange to cause a client-side denial of service.


Remediation

Install update from vendor's website.