OpenSSH GSSAPI bug can crash SSH child processes on some Linux builds

A newly disclosed OpenSSH flaw can let an unauthenticated attacker crash SSH child processes with a crafted packet, but it does not affect upstream OpenSSH itself. The issue, tracked as CVE-2026-3497, affects GSSAPI Key Exchange patches carried by various Linux distributions rather than the core upstream project.

The bug appears in non-default setups where GSSAPIKeyExchange is enabled. Ubuntu says a remote attacker could use the issue to crash OpenSSH and cause a denial of service, and possibly execute arbitrary code, if that setting is turned on.

According to the CVE record, the problem comes from the use of sshpkt_disconnect() in an error path instead of ssh_packet_disconnect(). Because the first function does not terminate the process, execution continues with connection variables left uninitialized, which can lead to undefined behavior when later code touches random memory.

That is why researchers describe this as more than a simple crash bug. The exact outcome depends heavily on compiler flags and hardening options, so some builds may only produce a reliable denial of service while others could expose a more serious memory-safety problem. Canonical’s CVSS v4 score for the issue is 6.9, which places it in the medium range.

What is actually affected

The most important distinction is that this is a distro-patch issue, not an upstream OpenSSH bug. NVD says the vulnerability affects GSSAPI patches added by various Linux distributions, and Ubuntu’s advisory confirms exposure only in non-default configurations where GSSAPI key exchange is enabled.

Why admins should pay attention

Even though this is not a default-path bug, SSH sits on critical infrastructure. A remotely reachable flaw that can kill child processes with one packet can still create a practical service disruption, especially on exposed bastion hosts or legacy Kerberos-integrated environments that enabled GSSAPI key exchange for compatibility reasons. Ubuntu also leaves open the possibility of code execution, which raises the priority for affected systems.

The public disclosure also notes that multiple versions of the GSSAPI patch exist across distributions. That means impact can vary from one distro build to another, and teams should not assume the problem is limited to one package version just because the underlying code lineage looks similar.

What to do now

• Check whether your SSH servers have GSSAPIKeyExchange yes enabled.
• Apply your distribution’s OpenSSH security updates immediately.
• Treat this as a distro package issue, not something fixed by waiting for upstream OpenSSH alone.
• Disable GSSAPIKeyExchange as a temporary mitigation if you cannot patch right away.

Ubuntu has already shipped fixes in its March 12, 2026 security notices for supported releases, including 20.04 LTS through a follow-up notice and 22.04 LTS, 24.04 LTS, and 25.10 through the original notice. Its update guidance says a standard system update should apply the necessary changes.

The CVE record also points to the code-level workaround: use ssh_packet_disconnect() instead of sshpkt_disconnect() in the affected error path. For administrators, the practical short-term mitigation is simpler: disable GSSAPI key exchange unless you truly need it.

FAQ