CVE-2026-35387
Published: April 4, 2026Last modified: April 17, 2026
Description
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack Vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | openssh | Unknown (9.1_p1-r3) |
| 25 LTS | openssh | Fixed (10.3_p1-r0) | |
| Stream | openssh | Fixed (10.3_p1-r0) | |
| Hardened Containers | 23 LTS | openssh | Unknown (9.1_p1-r3) |
| 25 LTS | openssh | Fixed (10.3_p1-r0) | |
| Stream | openssh | Fixed (10.3_p1-r0) |