DEBIAN-CVE-2026-35387

DEBIAN-CVE-2026-35387 PUBLISHED CVSS 6.5 MEDIUM

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:11	openssh	1:10.1p1-1, 8.4, 8.4
Debian:14	openssh	10.3, *, 1:10.0p1-7
Debian:12	openssh	1:9.2p1-2+deb12u5, 1:9.9p1-3, 1:9.8p1-8
Debian:13	openssh	*, 0, 1:10.0p1-7

Timeline

Apr 2, 2026 CVE Published
May 16, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-35387 advisory

Open in Interactive Console →