In the patch gssapi.patch used in many Linux distributions, adding support for OpenSSH key exchange based on GSSAPI, a vulnerability (CVE-2026-3497) has been identified, which can lead to pointer dereference, memory corruption, and bypass of the privilege sharing mechanism (Privsep). The vulnerability can be exploited remotely at the pre-authentication stage. The researcher who discovered this issue demonstrated the initiation of an abnormal process termination by sending a single modified network packet to the SSH server. Besides denial of service, there may be more dangerous exploitation options.
It is interesting to note that OpenSSH developers had previously declined to incorporate the change to support GSSAPI due to concerns about its security. However, many Linux distributions have included this patch in their OpenSSH packages. While several versions of the GSSAPI patch are in use, most of them contain a flaw that leads to a vulnerability. The fix is currently only available as a patch, which involves replacing the sshpkt_disconnect() function call with ssh_packet_disconnect() in the kexgsss.c file.
The vulnerability has been confirmed in Debian and Ubuntu. Other distributions are investigating the use of the problematic patch and its susceptibility to the vulnerability, such as SUSE/openSUSE, RHEL,