CVE-2026-35387: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or H

Description

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Affected Products

Vendor	Product	Versions
openssh	openssh	0

References

Related News (2 articles)

Tier C

oss-security6h ago

Re: Announce: OpenSSH 10.3 released

→ No new info (linked only)

Tier C

VulDB21h ago

CVE-2026-35387 | OpenSSH up to 10.2 control flow

→ No new info (linked only)

CVSS 3.13.1 LOW

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

10.3

CWECWE-670

PublishedApr 2, 2026

Last enriched20h agov2

Trending Score51

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 20h ago

v2Tier C20h ago

Updated affected versions to include 10.2, changed severity to MEDIUM, and noted that the exploit is not available.

affectedVersionsseverityactivelyExploited

via VulDB

v121h ago

Initial creation

CVE-2026-35387: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or H

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (4)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History