Fluid Attacks Database

Description

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	openssh	=1:9.2p1-2 \|\| =1:9.2p1-2+deb12u1 \|\| =1:9.2p1-2+deb12u2 \|\| =1:9.2p1-2+deb12u3 \|\| =1:9.2p1-2+deb12u4 \|\| =1:9.2p1-2+deb12u5 \|\| =1:9.2p1-2+deb12u6 \|\| =1:9.2p1-2+deb12u7 \|\| =1:9.2p1-2+deb12u8 \|\| =1:9.2p1-2+deb12u9 \|\| >=0 <1:9.2p1-2+deb12u10	1:9.2p1-2+deb12u10
rpm rhel8	openssh	<0:8.0p1-29.el8_10	0:8.0p1-29.el8_10
rpm rhel9	openssh	<0:8.7p1-49.el9_7 \|\| >=0:9.9p1, <0:9.9p1-7.el9_8	0:9.9p1-7.el9_8
rpm rhel10	openssh	<0:9.9p1-23.el10_2	0:9.9p1-23.el10_2
rpm rhel6	openssh	-	-
debian 14	openssh	=1:10.0p1-7 \|\| =1:10.0p1-8 \|\| =1:10.1p1-1 \|\| =1:10.1p1-2 \|\| =1:10.2p1-1 \|\| =1:10.2p1-2 \|\| =1:10.2p1-2~bpo13+1 \|\| =1:10.2p1-3 \|\| =1:10.2p1-4 \|\| =1:10.2p1-5 \|\| =1:10.2p1-6 \|\| =1:10.2p1-6~bpo13+1 \|\| =1:10.3p1-1~bpo13+1 \|\| >=0 <1:10.3p1-1	1:10.3p1-1
debian 11	openssh	=1:8.4p1-5 \|\| =1:8.4p1-5+deb11u1 \|\| =1:8.4p1-5+deb11u2 \|\| =1:8.4p1-5+deb11u3 \|\| =1:8.4p1-5+deb11u4 \|\| =1:8.4p1-5+deb11u5 \|\| =1:8.4p1-5+deb11u6 \|\| >=0 <1:8.4p1-5+deb11u7	1:8.4p1-5+deb11u7
debian 13	openssh	=1:10.0p1-7 \|\| =1:10.0p1-7+deb13u1 \|\| =1:10.0p1-7+deb13u2 \|\| >=0 <1:10.0p1-7+deb13u3	1:10.0p1-7+deb13u3
rpm rhel7	openssh	-	-
rpm rhel10.0	openssh	<0:9.9p1-7.el10_0.3	0:9.9p1-7.el10_0.3

1-10 of 13

Aliases

1. CVE-2026-353872. NVD-2026-353873. OSV-DEBIAN-2026-353874. OSV-2026-353875. SECURITY-TRACKER-CVE-2026-35387

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.