CVE-2026-3497: CWE-908 Use of Uninitialized Resource in Ubuntu openssh
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
AI Analysis
Technical Summary
This vulnerability arises from the use of sshpkt_disconnect() in Ubuntu's OpenSSH GSSAPI patches, which does not terminate the process on error. An attacker can send an unexpected GSSAPI message type during key exchange, causing the server to continue execution with uninitialized connection variables. These uninitialized variables may lead to undefined behavior due to random memory access. The upstream OpenSSH project is not affected; only Ubuntu's patched versions are vulnerable. The recommended workaround is to use ssh_packet_disconnect(), which terminates the process, but no official patch is currently documented.
Potential Impact
The vulnerability may cause undefined behavior on the server due to accessing uninitialized memory during GSSAPI key exchange. This could potentially lead to instability or crashes. The severity is rated low with a CVSS 4.0 score of 2.7. There are no known exploits in the wild. The actual impact depends on compiler hardening configurations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The recommended workaround is to replace sshpkt_disconnect() with ssh_packet_disconnect() to ensure the process terminates on error, preventing use of uninitialized variables. Until an official fix is released, users should monitor Ubuntu security advisories for updates.
CVE-2026-3497: CWE-908 Use of Uninitialized Resource in Ubuntu openssh
Description
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the use of sshpkt_disconnect() in Ubuntu's OpenSSH GSSAPI patches, which does not terminate the process on error. An attacker can send an unexpected GSSAPI message type during key exchange, causing the server to continue execution with uninitialized connection variables. These uninitialized variables may lead to undefined behavior due to random memory access. The upstream OpenSSH project is not affected; only Ubuntu's patched versions are vulnerable. The recommended workaround is to use ssh_packet_disconnect(), which terminates the process, but no official patch is currently documented.
Potential Impact
The vulnerability may cause undefined behavior on the server due to accessing uninitialized memory during GSSAPI key exchange. This could potentially lead to instability or crashes. The severity is rated low with a CVSS 4.0 score of 2.7. There are no known exploits in the wild. The actual impact depends on compiler hardening configurations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The recommended workaround is to replace sshpkt_disconnect() with ssh_packet_disconnect() to ensure the process terminates on error, preventing use of uninitialized variables. Until an official fix is released, users should monitor Ubuntu security advisories for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-03-03T19:33:05.664Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b30a4d2f860ef943dbc47e
Added to database: 3/12/2026, 6:47:41 PM
Last enriched: 4/17/2026, 11:10:32 AM
Last updated: 4/28/2026, 4:28:15 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.