Back

Fedora Releases Important Security Fixes for Putty Vulnerabilities

Severity: High (Score: 60.6)

Sources: Linuxsecurity, www.chiark.greenend.org.uk

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: jaroslav, version, resolves, rhbz, fedora, putty, important

Severity indicators: issue, security issue

Summary

On May 25, 2026, Fedora released updates for Putty addressing multiple security vulnerabilities, including CVE-2026-48850, a double free vulnerability in RSA KEX code, CVE-2026-48851, which affects TELNET session data, and CVE-2026-48852, an assertion failure in ECDSA signature verification. These vulnerabilities could potentially allow attackers to exploit the affected systems. The updates are available for Fedora 43 and 44, and users are advised to upgrade using the 'dnf' update program. The vulnerabilities were reported in Bugzilla under various identifiers, confirming their existence and the need for immediate action. The updates are critical for maintaining the security of systems using the Putty application. Users are encouraged to apply the patches promptly to mitigate risks. Key Points: • Fedora released security updates for Putty on May 25, 2026, addressing critical vulnerabilities. • CVE-2026-48850 involves a double free vulnerability in RSA KEX code. • Users of Fedora 43 and 44 are urged to upgrade to protect against these vulnerabilities.

Detailed Analysis

**Impact** Users of Fedora 43 and Fedora 44 running Putty versions prior to 0.84-1 are affected by multiple vulnerabilities. These issues could lead to memory corruption and unauthorized data trust marking, potentially impacting secure communications in sectors relying on SSH and Telnet protocols globally. No specific data breach or operational impact numbers are provided in the articles. **Technical Details** The vulnerabilities include CVE-2026-48850 (double free in RSA key exchange), CVE-2026-48851 (TELNET session data improperly marked with trust sigils after proxy authentication), and CVE-2026-48852 (assertion failure in ECDSA signature verification). These flaws affect the cryptographic and session handling components of Putty, potentially enabling exploitation during the key exchange and proxy authentication phases. No malware, attack infrastructure, or IOCs are detailed. **Recommended Response** Apply the Putty 0.84-1 update available via Fedora’s dnf package manager immediately using the advisories FEDORA-2026-61f53cc218 (Fedora 43) or FEDORA-2026-1ab61e6e20 (Fedora 44). Monitor network traffic for anomalies in SSH and Telnet sessions, especially around proxy authentication. Harden configurations to limit exposure of Putty services until patches are applied. No additional detection signatures or IOCs are provided.

Source articles (3)

  • Fedora 44 Putty Important Fix for Double Free Vulnerability 2026 — Linuxsecurity · 2026-06-10
    * Mon May 25 2026 Jaroslav Škarvada - 0.84-1 - New version Resolves: rhbz#2480724 * Mon May 25 2026 Jaroslav Škarvada - 0.84-1 - New version Resolves: rhbz#2480724 [ 1 ] Bug #2480724 - putty-0.84 is a…
  • Fedora 43 Putty Important Fix for Security Issues 2026 — Linuxsecurity · 2026-06-10
    * Mon May 25 2026 Jaroslav Škarvada - 0.84-1 - New version Resolves: rhbz#2480724 * Mon May 25 2026 Jaroslav Škarvada - 0.84-1 - New version Resolves: rhbz#2480724 [ 1 ] Bug #2480724 - putty-0.84 is a…
  • Putty — www.chiark.greenend.org.uk · 2026-06-10
    | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist LEGAL WARNING : Use of PuTTY, PSCP, PSFTP and Plink is illegal in…

Timeline

  • 2026-05-25 — Fedora updates Putty for security vulnerabilities: Fedora released updates for Putty, fixing CVE-2026-48850, CVE-2026-48851, and CVE-2026-48852, which affect the security of the application.
  • 2026-05-25 — CVE-2026-48850 published: CVE-2026-48850 details a double free vulnerability in the RSA KEX code of Putty, potentially exploitable by attackers.
  • 2026-05-25 — CVE-2026-48851 published: CVE-2026-48851 affects TELNET session data, marking it with trust sigils after proxy authentication, raising security concerns.
  • 2026-05-25 — CVE-2026-48852 published: CVE-2026-48852 describes an assertion failure in ECDSA signature verification, which could lead to security issues.

CVEs

  • CVE-2026-48850
  • CVE-2026-48851
  • CVE-2026-48852

Related entities

  • England (Country)
  • Wales (Country)
  • Cwe-415 - Double Free (Cwe)
  • cryptolaw.org (Domain)
  • Fedora (Company)
  • Plink (Tool)
  • PSCP (Tool)
  • Psftp (Tool)
  • Putty (Tool)
  • Double Free Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed