CVE-2026-35386

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.3

Description OpenSSH versions before 10.3 may allow command execution through shell metacharacters present in a username specified within a command line. This requires an untrusted username on the command line and a non-default configuration of '%' in the ssh config file.

Recommendations Update to OpenSSH version 10.3 or later.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-696

Related Identifiers

ALSA-2026:13380

ALSA-2026:13381

ALSA-2026:13383

ALSA-2026:19069

ALSA-2026:19219

CVE-2026-35386

ECHO-96EA-A64A-B85B

JLSEC-2026-75

OESA-2026-1963

RHSA-2026:12389

RHSA-2026:13380

RHSA-2026:13381

RHSA-2026:13383

RHSA-2026:19069

RHSA-2026:19219

USN-8222-1

Affected Products

Ibm Aix

Linuxmint

Openssh

Rocky Linux

Ubuntu

CVE-2026-35386

Weakness Enumeration

Related Identifiers

Affected Products

References · 57