SB2026071535 - Multiple vulnerabilities in OpenSSH
Published: July 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-59995)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to write files to an unexpected location.
The vulnerability exists due to improper path restriction in sftp(1) when downloading files on the command line using a remote path and a local dot destination. A remote attacker can operate a malicious server to write files to an unexpected location.
2) Path traversal (CVE-ID: CVE-2026-59996)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to write files outside the intended target directory.
The vulnerability exists due to improper path restriction in scp(1) when copying files between two remote destinations. A remote attacker can operate a malicious server to write files outside the intended target directory.
3) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-59997)
CWE-ID: CWE-88 - Argument Injection or Modification
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass security-relevant SFTP server options.
The vulnerability exists due to improper input handling in the internal-sftp SFTP server implementation when processing long command lines. A remote privileged user can supply a command line with security-relevant options placed after the ninth argument to bypass security-relevant SFTP server options.
Only configurations using the internal-sftp SFTP server implementation are affected.
4) Configuration (CVE-ID: CVE-2026-59998)
CWE-ID: CWE-16 - Configuration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The issue may allow a remote user to bypass implemented security restrictions.
The issue exists due to the the application has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. A remote user can bypass implemented security restriction.
5) Improper access control (CVE-ID: CVE-2026-59999)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to enable tunneling despite forwarding restrictions.
The vulnerability exists due to improper access control in sshd(8) when DisableForwarding=yes and PermitTunnel=yes are configured together. A remote privileged user can use tunneling despite forwarding restrictions to enable tunneling despite forwarding restrictions.
Exploitation requires configurations where PermitTunnel is enabled.
6) Resource exhaustion (CVE-ID: CVE-2026-60000)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource handling in sshd(8) when processing pre-authentication GSSAPI requests. A remote attacker can send crafted authentication attempts to cause a denial of service.
Only configurations with GSSAPIAuthentication enabled are affected.
7) Protection mechanism failure (CVE-ID: CVE-2026-60001)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to weaken authentication rate limiting.
The vulnerability exists due to improper enforcement of security policy in sshd(8) when handling authentication attempts. A remote attacker can send authentication attempts to weaken authentication rate limiting.
The issue affects cases where the minimum authentication delay was not enforced.
8) Use-after-free (CVE-ID: CVE-2026-60002)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a client-side denial of service.
The vulnerability exists due to use-after-free in ssh(1) when processing a host key change during key reexchange. A remote attacker can change its host key during key reexchange to cause a client-side denial of service.
Remediation
Install update from vendor's website.