CVE-2026-35387 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-35387 PUBLISHED CVSS 3.1 LOW

Reported by mitre · Published April 2, 2026

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Risk Scores

CVSS v3.1

3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor	Product	Versions
OpenBSD	OpenSSH	0
OpenBSD	OpenSSH	0
openbsd	openssh	0

Timeline

Apr 2, 2026 CVE Published
Apr 2, 2026 CVE Updated
Apr 2, 2026 PoC Published
Apr 2, 2026 PoC Published
Apr 2, 2026 PoC Published
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory
May 4, 2026 Distribution Patch
May 4, 2026 Security Advisory
May 4, 2026 Distribution Patch
May 4, 2026 Security Advisory
May 5, 2026 Distribution Patch

References

Open in Interactive Console →