usn-8533-1
Vulnerability from osv_ubuntu
Published
2026-07-13 13:07
Modified
2026-07-13 13:07
Summary
openssh vulnerabilities
Details

It was discovered that OpenSSH sftp did not properly constrain the location of downloaded files when connecting to an attacker-controlled server. An attacker could possibly use this issue to write files to unintended locations on the file system. (CVE-2026-59995)

It was discovered that OpenSSH scp could place files in the parent directory of the intended destination when copying between two remote hosts. An attacker could possibly use this issue to write files to unintended locations. (CVE-2026-59996)

It was discovered that OpenSSH internal-sftp only recognized the first nine command-line arguments, This could result in certain security-sensitive arguments being ignored, contrary to expectations. (CVE-2026-59997)

It was discovered that OpenSSH had undocumented behaviour regarding the GSSAPIStrictAcceptorCheck option in environments using Windows Active Directory. The documentation has been updated to clarify use of the option. (CVE-2026-59998)

It was discovered that OpenSSH did not properly enforce precedence of DisableForwarding=yes over PermitTunnel=yes in server configurations. This could possibly result in intended network forwarding restrictions being bypassed, contrary to expectations. (CVE-2026-59999)

It was discovered that OpenSSH mishandled the MaxAuthTries limit for GSSAPI authentication. A remote attacker could use this issue to perform excessive authentication attempts. (CVE-2026-60000)

It was discovered that OpenSSH did not always honour the minimum authentication delay. An attacker could possibly use this issue to perform brute-force attacks more efficiently. (CVE-2026-60001)

It was discovered that the OpenSSH client had a use-after-free vulnerability when a server changed its host key during a key re-exchange. An attacker able to intercept communications could possibly use this issue to execute arbitrary code or obtain sensitive information. (CVE-2026-60002)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-59995",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59996",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59997",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59998",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59999",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60000",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60001",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60002",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:22.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "openssh-client",
            "binary_version": "1:8.9p1-3ubuntu0.16"
          },
          {
            "binary_name": "openssh-server",
            "binary_version": "1:8.9p1-3ubuntu0.16"
          },
          {
            "binary_name": "openssh-sftp-server",
            "binary_version": "1:8.9p1-3ubuntu0.16"
          },
          {
            "binary_name": "openssh-tests",
            "binary_version": "1:8.9p1-3ubuntu0.16"
          },
          {
            "binary_name": "ssh",
            "binary_version": "1:8.9p1-3ubuntu0.16"
          },
          {
            "binary_name": "ssh-askpass-gnome",
            "binary_version": "1:8.9p1-3ubuntu0.16"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "openssh",
        "purl": "pkg:deb/ubuntu/openssh@1:8.9p1-3ubuntu0.16?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:8.9p1-3ubuntu0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1:8.4p1-6ubuntu2",
        "1:8.7p1-2",
        "1:8.7p1-2build1",
        "1:8.7p1-4",
        "1:8.8p1-1",
        "1:8.9p1-3",
        "1:8.9p1-3ubuntu0.1",
        "1:8.9p1-3ubuntu0.3",
        "1:8.9p1-3ubuntu0.4",
        "1:8.9p1-3ubuntu0.5",
        "1:8.9p1-3ubuntu0.6",
        "1:8.9p1-3ubuntu0.7",
        "1:8.9p1-3ubuntu0.10",
        "1:8.9p1-3ubuntu0.11",
        "1:8.9p1-3ubuntu0.13",
        "1:8.9p1-3ubuntu0.14",
        "1:8.9p1-3ubuntu0.15"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-59995",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59996",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59997",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59998",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59999",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60000",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60001",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60002",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:24.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "openssh-client",
            "binary_version": "1:9.6p1-3ubuntu13.18"
          },
          {
            "binary_name": "openssh-server",
            "binary_version": "1:9.6p1-3ubuntu13.18"
          },
          {
            "binary_name": "openssh-sftp-server",
            "binary_version": "1:9.6p1-3ubuntu13.18"
          },
          {
            "binary_name": "openssh-tests",
            "binary_version": "1:9.6p1-3ubuntu13.18"
          },
          {
            "binary_name": "ssh",
            "binary_version": "1:9.6p1-3ubuntu13.18"
          },
          {
            "binary_name": "ssh-askpass-gnome",
            "binary_version": "1:9.6p1-3ubuntu13.18"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "openssh",
        "purl": "pkg:deb/ubuntu/openssh@1:9.6p1-3ubuntu13.18?arch=source\u0026distro=noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:9.6p1-3ubuntu13.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1:9.3p1-1ubuntu3",
        "1:9.4p1-1ubuntu1",
        "1:9.6p1-3ubuntu1",
        "1:9.6p1-3ubuntu2",
        "1:9.6p1-3ubuntu11",
        "1:9.6p1-3ubuntu12",
        "1:9.6p1-3ubuntu13",
        "1:9.6p1-3ubuntu13.3",
        "1:9.6p1-3ubuntu13.4",
        "1:9.6p1-3ubuntu13.5",
        "1:9.6p1-3ubuntu13.7",
        "1:9.6p1-3ubuntu13.8",
        "1:9.6p1-3ubuntu13.9",
        "1:9.6p1-3ubuntu13.11",
        "1:9.6p1-3ubuntu13.12",
        "1:9.6p1-3ubuntu13.13",
        "1:9.6p1-3ubuntu13.14",
        "1:9.6p1-3ubuntu13.15",
        "1:9.6p1-3ubuntu13.16"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-59995",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59996",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59997",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59998",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-59999",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60000",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60001",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-60002",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:26.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "openssh-client",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "openssh-client-gssapi",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "openssh-server",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "openssh-server-gssapi",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "openssh-sftp-server",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "openssh-tests",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "ssh",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          },
          {
            "binary_name": "ssh-askpass-gnome",
            "binary_version": "1:10.2p1-2ubuntu3.4"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:26.04:LTS",
        "name": "openssh",
        "purl": "pkg:deb/ubuntu/openssh@1:10.2p1-2ubuntu3.4?arch=source\u0026distro=resolute"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:10.2p1-2ubuntu3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1:10.0p1-5ubuntu5",
        "1:10.2p1-2ubuntu1",
        "1:10.2p1-2ubuntu3",
        "1:10.2p1-2ubuntu3.2"
      ]
    }
  ],
  "aliases": [],
  "details": "It was discovered that OpenSSH sftp did not properly constrain the location\nof downloaded files when connecting to an attacker-controlled server. An\nattacker could possibly use this issue to write files to unintended\nlocations on the file system. (CVE-2026-59995)\n\nIt was discovered that OpenSSH scp could place files in the parent\ndirectory of the intended destination when copying between two remote\nhosts. An attacker could possibly use this issue to write files to\nunintended locations. (CVE-2026-59996)\n\nIt was discovered that OpenSSH internal-sftp only recognized the first nine\ncommand-line arguments, This could result in certain security-sensitive\narguments being ignored, contrary to expectations. (CVE-2026-59997)\n\nIt was discovered that OpenSSH had undocumented behaviour regarding the\nGSSAPIStrictAcceptorCheck option in environments using Windows Active\nDirectory. The documentation has been updated to clarify use of the option.\n(CVE-2026-59998)\n\nIt was discovered that OpenSSH did not properly enforce precedence of\nDisableForwarding=yes over PermitTunnel=yes in server configurations. This\ncould possibly result in intended network forwarding restrictions being\nbypassed, contrary to expectations. (CVE-2026-59999)\n\nIt was discovered that OpenSSH mishandled the MaxAuthTries limit for GSSAPI\nauthentication. A remote attacker could use this issue to perform excessive\nauthentication attempts. (CVE-2026-60000)\n\nIt was discovered that OpenSSH did not always honour the minimum\nauthentication delay. An attacker could possibly use this issue to perform\nbrute-force attacks more efficiently. (CVE-2026-60001)\n\nIt was discovered that the OpenSSH client had a use-after-free\nvulnerability when a server changed its host key during a key re-exchange.\nAn attacker able to intercept communications could possibly use this issue\nto execute arbitrary code or obtain sensitive information. (CVE-2026-60002)",
  "id": "USN-8533-1",
  "modified": "2026-07-13T13:07:08Z",
  "published": "2026-07-13T13:07:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8533-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-59995"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-59996"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-59997"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-59998"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-59999"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-60000"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-60001"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-60002"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "openssh vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2026-59995",
    "UBUNTU-CVE-2026-59996",
    "UBUNTU-CVE-2026-59997",
    "UBUNTU-CVE-2026-59998",
    "UBUNTU-CVE-2026-59999",
    "UBUNTU-CVE-2026-60000",
    "UBUNTU-CVE-2026-60001",
    "UBUNTU-CVE-2026-60002"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…