Back

Critical OpenSSH Vulnerabilities Affecting Multiple Ubuntu Versions

Severity: High (Score: 74.0)

Sources: Ubuntu, Linuxsecurity, launchpad.net

Summary

Multiple vulnerabilities in OpenSSH have been discovered, affecting Ubuntu 22.04 LTS and its derivatives. Key issues include improper handling of the legacy scp protocol, which could lead to unintended setuid or setgid file installations (CVE-2026-35385), and vulnerabilities allowing arbitrary code execution via crafted usernames (CVE-2026-35386). Other vulnerabilities involve incorrect parsing of security options (CVE-2026-35387) and proxy-mode multiplexing issues (CVE-2026-35388). The vulnerabilities were published on April 2, 2026, with the first public proof of concept for CVE-2026-35414 released today. Users are advised to update their systems to mitigate these risks. The affected versions include Ubuntu 26.04 LTS, 25.10, 24.04 LTS, and 22.04 LTS, with specific package versions provided for remediation. Key Points: • OpenSSH vulnerabilities could lead to arbitrary code execution and privilege escalation. • Affected Ubuntu versions include 22.04 LTS and derivatives, with critical updates required. • First public PoC for CVE-2026-35414 released today, increasing urgency for patching.

Key Entities

  • CVE-2026-35385 (cve)
  • CVE-2026-35386 (cve)
  • CVE-2026-35387 (cve)
  • CVE-2026-35388 (cve)
  • CVE-2026-35414 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • OpenSSH (platform)
  • Ubuntu (company)
  • SCP (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed