CVE-2026-0966 is a buffer underwrite (buffer underflow) vulnerability found in the ssh_get_hexa() function within Red Hat Enterprise Linux 10. This function is responsible for converting binary data to a hexadecimal string representation and is used internally by ssh_get_fingerprint_hash() and the deprecated ssh_print_hexa(). The vulnerability arises when a zero-length input is passed to ssh_get_hexa(), which is not properly validated, leading to a buffer underwrite condition. Additionally, the function is utilized in the GSSAPI authentication code path for logging Object Identifiers (OIDs) received by the server. When GSSAPI authentication is enabled and the SSH server's logging verbosity is set to SSH_LOG_PACKET (level 3) or higher, an attacker can remotely send crafted packets with zero-length OIDs that trigger the vulnerable code. This results in a buffer underwrite that can cause the per-connection SSH daemon process to crash, effectively causing a denial-of-service (DoS) condition. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.0 base score is 6.5 (medium severity), reflecting the ease of remote exploitation and impact on availability, but no impact on confidentiality or integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability affects Red Hat Enterprise Linux 10 installations that have GSSAPI authentication enabled and verbose SSH logging configured, which is common in enterprise environments requiring Kerberos or other GSSAPI mechanisms for authentication and detailed audit logging.

The primary impact of CVE-2026-0966 is a denial-of-service (DoS) condition affecting the SSH daemon process handling individual connections. This can disrupt remote access services, potentially locking out administrators or automated systems relying on SSH for management. While the vulnerability does not compromise confidentiality or integrity, the loss of availability can have significant operational consequences, especially in environments with high dependency on SSH for secure remote administration. Organizations with automated orchestration, continuous integration/deployment pipelines, or critical infrastructure management relying on SSH may experience service interruptions. The vulnerability's remote exploitability without authentication increases risk, as attackers can trigger the DoS condition without prior access. However, the requirement for GSSAPI authentication and verbose logging reduces the attack surface somewhat, limiting impact to specific configurations. No known exploits in the wild reduce immediate risk, but the medium severity score and potential for disruption warrant timely remediation.

To mitigate CVE-2026-0966, organizations should apply the official security patches provided by Red Hat for Red Hat Enterprise Linux 10 as soon as they become available. Until patches are deployed, administrators can reduce risk by disabling GSSAPI authentication in the SSH server configuration if it is not required (set 'GSSAPIAuthentication no' in sshd_config). Additionally, lowering the SSH logging verbosity below SSH_LOG_PACKET (level 3) will prevent triggering the vulnerable code path during logging. Monitoring SSH daemon logs for unusual crashes or restarts can help detect attempted exploitation. Network-level controls such as rate limiting or firewall rules restricting SSH access to trusted IPs can further reduce exposure. Finally, auditing and updating SSH client and server configurations to minimize unnecessary features and verbose logging will reduce attack surface. Regularly reviewing Red Hat security advisories and subscribing to vulnerability notifications ensures timely awareness of patches and updates.