A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
PUBLISHED5.2CWE-125
Openssh: heap out-of-bounds read in red hat enterprise linux versions of openssh gssapi indicator cleanup due to missing null sentinel termination
Problem type
Affected products
Red Hat
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Hardened Images
Red Hat OpenShift Container Platform 4
References
access.redhat.com
https://access.redhat.com/security/cve/CVE-2026-55654
RHBZ#2462493
https://bugzilla.redhat.com/show_bug.cgi?id=2462493
GitHub Security Advisories
GHSA-5mx2-7g4j-9m39
A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the...
https://github.com/advisories/GHSA-5mx2-7g4j-9m39A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-55654Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-55654",
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"dateUpdated": "2026-06-23T03:37:00.160Z",
"dateReserved": "2026-06-16T23:55:05.737Z",
"datePublished": "2026-06-23T03:37:00.160Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat",
"dateUpdated": "2026-06-23T03:37:00.160Z"
},
"datePublic": "2026-06-22T23:18:14.750Z",
"title": "Openssh: heap out-of-bounds read in red hat enterprise linux versions of openssh gssapi indicator cleanup due to missing null sentinel termination",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service."
}
],
"affected": [
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 10",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openssh",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 6",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openssh",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openssh",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openssh",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openssh",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Hardened Images",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openssh",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Container Platform 4",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rhcos",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unknown"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Out-of-bounds Read",
"cweId": "CWE-125",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://access.redhat.com/security/cve/CVE-2026-55654",
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
]
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2462493",
"name": "RHBZ#2462493",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
]
}
],
"metrics": [
{},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW"
}
}
],
"timeline": [
{
"time": "2026-04-26T19:17:42.000Z",
"lang": "en",
"value": "Reported to Red Hat."
},
{
"time": "2026-06-22T23:18:14.750Z",
"lang": "en",
"value": "Made public."
}
]
}
}
}