A critical security flaw has been identified in the GSSAPI Key Exchange protocol, impacting numerous Linux distributions using OpenSSH. This vulnerability, cataloged as CVE-2026-3497, allows attackers to reliably crash SSH child processes and potentially breach privilege boundaries with a single malicious packet.
Discovery and Technical Details
Security researcher Jeremy Brown uncovered the defect within the server-side GSSAPI key exchange handler, specifically in the kexgsss.c file. The issue arises from the incorrect use of sshpkt_disconnect() instead of ssh_packet_disconnect() in error-handling code. This oversight leads to the transmission of uninitialized stack variable data, potentially causing heap memory corruption.
The vulnerability is classified under CWE-824 and CWE-908, with severe implications. A crafted SSH packet, approximately 300 bytes in size, can trigger the flaw without authentication. This results in significant security risks, including SIGABRT or SIGSEGV signals and reliable child process crashes in tested configurations.
Impact and Exploitation
The severity of the flaw varies based on compiler options and optimization flags across different distributions. Notably, systems compiled with Clang using -O0 show a pointer value of 0xfffbe600, whereas GCC with -O2 and -fno-stack-protector results in a valid heap address of 127,344 bytes. This discrepancy highlights the diverse impact across Linux systems.
Tests across eight builds revealed that the recv_tok.value could range from NULL to various memory regions. This vulnerability predominantly affects Ubuntu and Debian systems with the GSSAPI key exchange enabled, yet the impact likely spans further due to multiple GSSAPI KEX patch versions.
Mitigation and Recommendations
To address this vulnerability, administrators should replace all instances of sshpkt_disconnect() with ssh_packet_disconnect() within the kexgsss.c file. Ubuntu has already issued a patch to resolve this issue. It is crucial for system administrators to promptly apply updates or disable the GSSAPIKeyExchange temporarily to mitigate potential risks.
Staying informed about security updates is vital for maintaining system integrity. Follow reliable cybersecurity news sources for the latest information and updates. Administrators are encouraged to monitor their systems closely and ensure patches are applied promptly to safeguard against exploitation.
