Total
122 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10708 | 4 Canonical, Debian, Netapp and 1 more | 12 Ubuntu Linux, Debian Linux, Cloud Backup and 9 more | 2026-04-29 | 5.0 MEDIUM | 7.5 HIGH |
| sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. | |||||
| CVE-2013-4548 | 1 Openbsd | 1 Openssh | 2026-04-29 | 6.0 MEDIUM | N/A |
| The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address. | |||||
| CVE-2014-1692 | 1 Openbsd | 1 Openssh | 2026-04-29 | 7.5 HIGH | N/A |
| The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition. | |||||
| CVE-2011-0539 | 1 Openbsd | 1 Openssh | 2026-04-29 | 5.0 MEDIUM | N/A |
| The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks. | |||||
| CVE-2011-4327 | 1 Openbsd | 1 Openssh | 2026-04-29 | 2.1 LOW | N/A |
| ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call. | |||||
| CVE-2010-4478 | 1 Openbsd | 1 Openssh | 2026-04-29 | 7.5 HIGH | N/A |
| OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. | |||||
| CVE-2010-5107 | 1 Openbsd | 1 Openssh | 2026-04-29 | 5.0 MEDIUM | N/A |
| The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. | |||||
| CVE-2011-5000 | 1 Openbsd | 1 Openssh | 2026-04-29 | 3.5 LOW | N/A |
| The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant. | |||||
| CVE-2012-0814 | 1 Openbsd | 1 Openssh | 2026-04-29 | 3.5 LOW | N/A |
| The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. | |||||
| CVE-2010-4755 | 3 Freebsd, Netbsd, Openbsd | 4 Freebsd, Netbsd, Openbsd and 1 more | 2026-04-29 | 4.0 MEDIUM | N/A |
| The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. | |||||
| CVE-2026-35388 | 1 Openbsd | 1 Openssh | 2026-04-27 | N/A | 2.5 LOW |
| OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. | |||||
| CVE-2026-35387 | 1 Openbsd | 1 Openssh | 2026-04-27 | N/A | 3.1 LOW |
| OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. | |||||
| CVE-2026-35386 | 1 Openbsd | 1 Openssh | 2026-04-27 | N/A | 3.6 LOW |
| In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. | |||||
| CVE-2026-35385 | 1 Openbsd | 1 Openssh | 2026-04-27 | N/A | 7.5 HIGH |
| In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). | |||||
| CVE-2007-3102 | 2 Fedora Project, Openbsd | 2 Fedora Core, Openssh | 2026-04-23 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2008-5161 | 2 Openbsd, Ssh | 5 Openssh, Tectia Client, Tectia Connector and 2 more | 2026-04-23 | 2.6 LOW | N/A |
| Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors. | |||||
| CVE-2008-1483 | 1 Openbsd | 1 Openssh | 2026-04-23 | 6.9 MEDIUM | N/A |
| OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. | |||||
| CVE-2008-4109 | 2 Debian, Openbsd | 2 Linux, Openssh | 2026-04-23 | 5.0 MEDIUM | N/A |
| A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051. | |||||
| CVE-2009-2904 | 3 Fedoraproject, Openbsd, Redhat | 5 Fedora, Openssh, Enterprise Linux and 2 more | 2026-04-23 | 6.9 MEDIUM | N/A |
| A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. | |||||
| CVE-2008-1657 | 1 Openbsd | 1 Openssh | 2026-04-23 | 6.5 MEDIUM | N/A |
| OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. | |||||