CVE-2026-35387EXPLOITEDPATCHED

openbsd · openssh

CVE-2026-35387: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or H

Description

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Affected Products

Vendor	Product	Versions
openbsd	openssh	0, < 10.3

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	qradar siem	cert_advisory	90%
open source	openssh	cert_advisory	90%

References

Related News (5 articles)

Tier B

BSI Advisories21d ago

[NEU] [hoch] IBM QRadar SIEM: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

BSI Advisories70d ago

[NEU] [mittel] OpenSSH: Mehrere Schwachstellen

→ No new info (linked only)

Tier A

Microsoft MSRC70d ago

CVE-2026-35387

→ No new info (linked only)

Tier C

oss-security74d ago

Re: Announce: OpenSSH 10.3 released

→ No new info (linked only)

Tier C

VulDB75d ago

CVE-2026-35387 | OpenSSH up to 10.2 control flow

→ No new info (linked only)

CVSS 3.13.1 LOW

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

10.3

CWECWE-670, CWE-78

PublishedApr 2, 2026

Last enriched75d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHPRE-CVE

OpenBSD sppp_pap_input PAP Authentication Bypass Vulnerability

Trending: 26

HIGHCVE-2026-35385

CVE-2026-35385: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' e

Trending: 6

LOWCVE-2026-35388

CVE-2026-35388: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Trending: 4

LOWCVE-2026-35386EXP

CVE-2026-35386: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This r

Trending: 3

MEDIUMCVE-2026-35414EXP

CVE-2026-35414: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list i

Trending: 3

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 2, 2026

Discovered by ZDM

Apr 2, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 2, 2026

Actively Exploited

Apr 3, 2026

Exploit Available

Apr 3, 2026

Patch Available

Apr 3, 2026

Version History

Last enriched 75d ago

v2Tier C75d ago

Updated affected versions to include 10.2, changed severity to MEDIUM, and noted that the exploit is not available.

affectedVersionsseverityactivelyExploited

via VulDB

v175d ago

Initial creation