CVE-2026-3497

{"id": "CVE-2026-3497", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@ubuntu.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-12T19:16:19.910", "references": [{"url": "https://ubuntu.com/security/CVE-2026-3497", "source": "security@ubuntu.com"}, {"url": "https://www.openwall.com/lists/oss-security/2026/03/12/3", "source": "security@ubuntu.com"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/12/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/14/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/14/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/18/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/18/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/18/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/18/7", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@ubuntu.com", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration."}, {"lang": "es", "value": "Vulnerabilidad en el delta GSSAPI de OpenSSH incluida en varias distribuciones de Linux. Esta vulnerabilidad afecta a los parches GSSAPI a\u00f1adidos por varias distribuciones de Linux y no afecta al proyecto upstream de OpenSSH en s\u00ed. El uso de sshpkt_disconnect() en caso de error, que no termina el proceso, permite a un atacante enviar un tipo de mensaje GSSAPI inesperado durante el intercambio de claves GSSAPI al servidor, lo que llamar\u00e1 a la funci\u00f3n subyacente y continuar\u00e1 la ejecuci\u00f3n del programa sin establecer las variables de conexi\u00f3n relacionadas. Como las variables no se inicializan a NULL, el c\u00f3digo accede posteriormente a esas variables no inicializadas, accediendo a memoria aleatoria, lo que podr\u00eda llevar a un comportamiento indefinido. La soluci\u00f3n alternativa recomendada es usar ssh_packet_disconnect() en su lugar, que s\u00ed termina el proceso. El impacto de la vulnerabilidad depende en gran medida de la configuraci\u00f3n de endurecimiento de las banderas del compilador."}], "lastModified": "2026-03-18T19:16:07.923", "sourceIdentifier": "security@ubuntu.com"}