Ubuntu Fixes 8 OpenSSH Vulnerabilities Including an RCE Flaw

Ubuntu

Ubuntu

Track EOL dates for all Ubuntu versions.

View all versions →
Key Takeaways
  • CVE-2026-60002 is the most severe – a use-after-free in the SSH client allowing RCE or information disclosure via MITM attack.
  • Two brute-force facilitation flaws (CVE-2026-60000, CVE-2026-60001) weaken MaxAuthTries and authentication delay protections.
  • Two file write flaws (CVE-2026-59995, CVE-2026-59996) affect sftp and scp when connecting to attacker-controlled servers.

Ubuntu published security notice USN-8533-1 on July 13, 2026, patching 8 OpenSSH vulnerabilities across Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The openssh vulnerability batch ranges from file write flaws in sftp and scp, to brute-force facilitation issues, to a use-after-free in the SSH client that can result in remote code execution.

OpenSSH is installed on virtually every Linux server. Unlike application-level vulnerabilities, an SSH flaw sits at the access layer – the tool used to manage everything else. That makes this patch batch higher priority than most.

Remote Code Execution via MITM

CVE-2026-60002 is a use-after-free vulnerability in the OpenSSH client triggered when a server changes its host key during key re-exchange. An attacker positioned to intercept SSH communications could exploit this to execute arbitrary code or obtain sensitive information on the client system. Apply this update as soon as possible on any system where SSH client connections are made to external or untrusted hosts.

What Is OpenSSH and Why Does This Matter?

OpenSSH is the implementation of the SSH protocol used for secure remote access, file transfers (via scp and sftp), and tunneling on virtually all Linux systems. When an OpenSSH vulnerability is discovered, it does not affect one application – it affects the primary channel through which systems are administered.

This is why openssh vulnerability news consistently generates high attention from security teams. A flaw in a web application affects that application. A flaw in SSH affects administrative access to everything.

Affected Ubuntu Releases and Fixed Versions

All three current Ubuntu LTS releases are affected:

Ubuntu Release Package Fixed Version
26.04 LTS (Resolute) openssh-client, openssh-server 1:10.2p1-2ubuntu3.4
24.04 LTS (Noble) openssh-client, openssh-server 1:9.6p1-3ubuntu13.18
22.04 LTS (Jammy) openssh-client, openssh-server 1:8.9p1-3ubuntu0.16

All fixes are available through standard system updates. For end-of-life Ubuntu releases, you will need the Expanded Security Maintenance (ESM), available with Ubuntu Pro.

Which OpenSSH Version Is Not Vulnerable?

The fixed versions are listed in the table above per Ubuntu release. To check your currently installed version:

ssh -V

Or check the package version directly:

apt-cache policy openssh-client openssh-server

If your installed version is lower than the fixed version for your Ubuntu release, your system is vulnerable and should be updated immediately.

Full OpenSSH Vulnerability List (USN-8533-1)

CVE Component Impact
CVE-2026-59995 sftp (client) Arbitrary file write to unintended filesystem locations via attacker-controlled server
CVE-2026-59996 scp (remote-to-remote) File placement in parent directory of intended destination via attacker-controlled server
CVE-2026-59997 internal-sftp Security-sensitive arguments silently ignored beyond the ninth argument
CVE-2026-59998 GSSAPIStrictAcceptorCheck Undocumented behaviour in Windows AD environments (documentation clarified)
CVE-2026-59999 DisableForwarding / PermitTunnel Network forwarding restrictions bypassed via configuration precedence flaw
CVE-2026-60000 GSSAPI authentication Brute-force facilitation via MaxAuthTries limit bypass
CVE-2026-60001 Authentication delay Brute-force facilitation via minimum authentication delay bypass
CVE-2026-60002 SSH client (key re-exchange) Remote code execution or information disclosure via use-after-free

Most Severe OpenSSH Vulnerabilities in This Batch

CVE-2026-60002 – Use-After-Free RCE in SSH Client

The most critical openssh vulnerability in this notice. When a server changes its host key during a key re-exchange, the OpenSSH client has a use-after-free condition that an attacker positioned as a MITM can exploit to execute arbitrary code or extract sensitive information from the client process.

This affects the client side – meaning the risk is on any system making outbound SSH connections, including automated scripts, deployment pipelines, and developer workstations connecting to external hosts.

Who is most at risk

Systems running automated SSH connections to external endpoints – CI/CD pipelines, backup scripts, deployment tools – are particularly exposed to MITM-based exploitation. If your infrastructure makes outbound SSH connections to hosts you do not fully control, prioritise this patch.

CVE-2026-60000 and CVE-2026-60001 – Brute-Force Facilitation

Two separate flaws that individually weaken SSH authentication protections, but together represent a meaningful degradation of brute-force resistance:

CVE-2026-60000

OpenSSH mishandled the MaxAuthTries limit specifically for GSSAPI authentication. An attacker could exceed the configured maximum authentication attempts, effectively bypassing one of SSH's primary brute-force defences.

CVE-2026-60001

OpenSSH did not always enforce the minimum authentication delay. This allows an attacker to attempt authentication faster than the server intended, improving brute-force efficiency.

Context on brute-force risk

If your SSH servers are exposed to the public internet without additional protections like fail2ban, allowlisted source IPs, or certificate-only authentication, these two CVEs increase your exposure meaningfully. The fix removes both bypasses, but hardening your SSH configuration beyond the defaults remains good practice regardless.

CVE-2026-59995 and CVE-2026-59996 – File Write via Attacker-Controlled Server

CVE-2026-59995

OpenSSH's sftp client did not properly constrain where downloaded files could be written when connecting to an attacker-controlled server. A malicious server could direct file writes to unintended filesystem locations.

CVE-2026-59996

OpenSSH's scp had a similar issue when copying between two remote hosts: files could be placed in the parent directory of the intended destination.

Both flaws require the client to connect to an attacker-controlled server, making them most relevant in scenarios where users connect to untrusted or third-party SSH endpoints.

CVE-2026-59997 – Silent Argument Truncation in internal-sftp

OpenSSH's internal-sftp subsystem only recognised the first nine command-line arguments. Arguments beyond the ninth – including security-sensitive flags – were silently ignored. This is a configuration correctness issue: administrators who believed certain restrictions were in effect may find they were not being applied.

Check your sshd_config

If you use internal-sftp with more than nine arguments in your sshd_config Subsystem directive, audit your configuration after applying this update to confirm all intended arguments are being processed. This may require restructuring how arguments are passed.

CVE-2026-59999 – ForwardingDisable Precedence Bypass

OpenSSH did not properly enforce the precedence of DisableForwarding=yes over PermitTunnel=yes in server configurations. Administrators who intended to disable all forwarding via DisableForwarding=yes may have had that restriction bypassed if PermitTunnel=yes was also present.

Is OpenSSH Secure?

OpenSSH has a strong long-term security track record relative to the sensitivity of what it protects. The project is actively maintained, audited regularly, and vulnerabilities are typically patched quickly. The 2026 batch covered in USN-8533-1 ranges from documentation clarifications to a genuine RCE flaw – which reflects normal software security lifecycle rather than a systemic problem with OpenSSH.

That said, "secure software" and "secure configuration" are different things. The brute-force CVEs in this notice highlight that even well-designed rate-limiting can be bypassed at the implementation level. Keeping OpenSSH patched is necessary but not sufficient – hardening your SSH configuration and restricting access by IP where possible remain important layers of defence.

How to Fix OpenSSH Vulnerabilities on Ubuntu

A standard system update patches all 8 vulnerabilities:

sudo apt update && sudo apt upgrade

After updating, verify the installed version matches the fixed version for your release:

apt-cache policy openssh-server

Restart the SSH service to apply the updated server binary:

sudo systemctl restart ssh

Do not lock yourself out

Before restarting the SSH service on a remote system, ensure you have an alternative access method available (console access, out-of-band management, a second active SSH session) in case the restart encounters an issue. Test the new configuration with sshd -t before restarting.

References

Tagged: Security Notices cve openssh rce security ssh ubuntu vulnerabilities