{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-35388", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-02T16:57:30.433Z", "datePublished": "2026-04-02T16:57:31.073Z", "dateUpdated": "2026-04-02T18:16:41.820Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSH", "vendor": "OpenBSD", "versions": [{"lessThan": "10.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:16:41.820Z"}, "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:46:05.234251Z", "id": "CVE-2026-35388", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:46:41.643Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:46:05.234251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:46:32.744Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenBSD", "product": "OpenSSH", "versions": [{"status": "affected", "version": "0", "lessThan": "10.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:16:41.820Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35388", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:16:41.820Z", "dateReserved": "2026-04-02T16:57:30.433Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T16:57:31.073Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions."}], "id": "CVE-2026-35388", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-02T17:16:27.947", "references": [{"source": "cve@mitre.org", "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"source": "cve@mitre.org", "url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-420"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions", "id": "2454500", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454500"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-306", "details": ["OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a multiplexed session without explicit confirmation, leading to unintended data handling."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-35388", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-02T16:57:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35388\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35388\nhttps://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2\nhttps://www.openssh.org/releasenotes.html#10.3p1\nhttps://www.openwall.com/lists/oss-security/2026/04/02/3"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSSH", "source": "cna", "vendor": "OpenBSD"}, "product": "openssh", "vendor": "openbsd"}], "analysis": {"en": {"generated_at": "2026-04-04T03:57:04.739437+00:00", "value": {"mitigation_remediation": ["Apply the latest OpenSSH update (10.3p1 or later).", "If an immediate update is not possible, disable connection multiplexing on the server (e.g., set ControlMaster=none).", "Monitor SSH logs for unexpected proxy-mode multiplexing sessions."], "summary": {"action": "Update", "impact": "Integrity compromise via unconfirmed proxy-mode multiplexing sessions"}, "threat_synthesis": {"affected_systems": "Affected systems are OpenBSD OpenSSH installations running any build before version 10.3p1. No further sub\u2011version information is supplied, so any release older than 10.3p1 can be impacted.", "description_and_impact": "OpenSSH versions prior to 10.3 do not verify the confirmation step when establishing multiplexed proxy-mode sessions. This omission allows an attacker who can initiate a multiplexed connection to the SSH server to create proxy tunnels without the SSH server confirming proper session parameters. The result is a potential degradation of data integrity: traffic routed through these tunnels may be manipulated or replaced. The core weakness is related to missing authentication of multiplexed sessions, classified under CWE-306 (Missing Authentication for Critical Function) and CWE-420 (Untrusted Control of Resource).", "risk_and_exploitability": "The CVSS score of 2.5 signals a low severity issue. Exploitation requires an attacker who can reach the SSH port and issue a multiplexed connection request. The EPSS score is below 1%, indicating a very small likelihood of real\u2011world exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack path does not provide remote code execution or denial of service; it mainly affords integrity degradation through unverified proxy tunnels."}}}}, "created": "2026-04-03T07:32:29.155789+00:00", "updated": "2026-04-07T07:55:55.280038+00:00", "vendors": ["openbsd", "openbsd$PRODUCT$openssh"]}