CVE-2026-55654— Openssh: heap out-of-bounds read in red hat enterprise linux versions of openssh gssapi indicator cleanup due to missing null sentinel termination
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-55654
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Openssh: heap out-of-bounds read in red hat enterprise linux versions of openssh gssapi indicator cleanup due to missing null sentinel termination
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存读
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 | - | cpe:/o:redhat:enterprise_linux:10 | |
| Red Hat | Red Hat Enterprise Linux 6 | - | cpe:/o:redhat:enterprise_linux:6 | |
| Red Hat | Red Hat Enterprise Linux 7 | - | cpe:/o:redhat:enterprise_linux:7 | |
| Red Hat | Red Hat Enterprise Linux 8 | - | cpe:/o:redhat:enterprise_linux:8 | |
| Red Hat | Red Hat Enterprise Linux 9 | - | cpe:/o:redhat:enterprise_linux:9 | |
| Red Hat | Red Hat Hardened Images | - | cpe:/a:redhat:hummingbird:1 | |
| Red Hat | Red Hat OpenShift Container Platform 4 | - | cpe:/a:redhat:openshift:4 |
II. Public POCs for CVE-2026-55654
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-55654
请登录查看更多情报信息。
Other References for CVE-2026-55654 (2)
Same Patch Batch · Red Hat · 2026-06-23 · 12 CVEs total
| CVE-2026-11807 | 9.6 CRITICAL | Eda-server: websocket missing authorization allows credential theft via activation_id spoo |
| CVE-2026-12112 | 7.8 HIGH | Foreman-mcp-server: mcp server: active session hijacking via insecure session state reuse |
| CVE-2026-10609 | 6.8 MEDIUM | Openshift/cluster-logging-operator: cluster logging operator creates and forwards servicea |
| CVE-2026-11820 | 6.5 MEDIUM | Community.general: community.general nexmo — api credentials exposed in get url query stri |
| CVE-2026-9073 | 6.2 MEDIUM | Foreman-mcp-server: mcp server: insecure sensitive http header sanitization |
| CVE-2026-11819 | 5.5 MEDIUM | Community.general: community.general keyring_info — os keyring passphrase returned in plai |
| CVE-2026-12969 | 5.3 MEDIUM | Dnsmasq: dnsmasq: out-of-bounds read in find_soa() due to missing extrabytes validation |
| CVE-2026-55655 | 5.0 MEDIUM | Openssh: local mitm of x11 forwarding via abstract unix socket pre-binding in red hat ente |
| CVE-2026-12892 | 4.4 MEDIUM | Gstreamer1-plugins-bad: gstreamer1-plugins-bad: 1-byte heap out-of-bounds read in h.264 na |
| CVE-2026-55653 | 4.3 MEDIUM | Openssh: double free in red hat enterprise linux versions of openssh dh-gex client path du |
| CVE-2026-12891 | 4.3 MEDIUM | Gstreamer1-plugins-bad: gstreamer1-plugins-bad: global buffer overflow (oob read) in h.266 |
IV. Related Vulnerabilities
Same product: Red Hat Enterprise Linux 10
- CVE-2026-12892
Gstreamer1-plugins-bad: gstreamer1-plugins-bad: 1-byte heap - CVE-2026-12891
Gstreamer1-plugins-bad: gstreamer1-plugins-bad: global buffe - CVE-2026-11820
Community.general: community.general nexmo — api credentials - CVE-2026-11819
Community.general: community.general keyring_info — os keyri - CVE-2026-12969
Dnsmasq: dnsmasq: out-of-bounds read in find_soa() due to mi
Same vendor: Red Hat
- CVE-2026-13434
Virt-controller-rhel9: kubevirt: kubevirt: multus default-ne - CVE-2026-13325
Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration - CVE-2026-13322
Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-ser - CVE-2026-13083
Pen-drive: pen-drive: stored xss via unescaped cluster data - CVE-2026-13318
Virt-api-rhel9: kubevirt: kubevirt: ssrf in virt-api port-fo
Same weakness: CWE-125
- CVE-2026-54341
Dragonfly: RESTORE operations may crash the server - CVE-2026-12340
Out-of-bounds heap read in SM2/SM3 certificate Subject Key I - CVE-2026-56788
RTKLIB 2.4.3 - Out-of-bounds Read via Negative Array Index i - CVE-2026-12897
Out-of-bounds read in Horner Automation Cscape - CVE-2026-6094
Heap buffer overread in wc_PKCS7_DecodeEnvelopedData parsing
V. Comments for CVE-2026-55654
No comments yet