Debian shipped advisory DSA-6204-1 for OpenSSH on 9 April 2026. The flaw, tracked as CVE-2026-3497, does not live in the OpenSSH code maintained upstream. It sits in the GSSAPI Key Exchange patch that Debian (and other distributions such as Ubuntu) apply on their own. Researcher Jeremy Brown found it.
What actually breaks
The bug is in the server loop that negotiates key exchange over GSSAPI. When an error happens during that negotiation, the code calls the wrong function: it uses sshpkt_disconnect() instead of ssh_packet_disconnect(). That difference matters. The second tears down the connection right away; the first only queues a disconnect message and lets the program keep running.
Because it keeps running, execution falls through into code that reads an uninitialized stack variable named recv_tok. Whatever garbage is left on the stack gets sent to the privileged monitor process over IPC and ends up passed to gss_release_buffer(), which can call free() on an invalid pointer. That is confirmed heap corruption.
In practice an attacker can reliably crash SSH child processes with a single crafted network packet, before authenticating. Debian’s own advisory does not rule out that, with enough effort, the memory fault could lead to arbitrary code execution.
Who is affected
Only systems that have explicitly enabled the GSSAPIKeyExchange option. This is not the default. It tends to show up in Kerberos environments, where GSSAPI handles domain authentication, so the typical targets are corporate and university networks running SSO over Kerberos.
If you have never touched that directive in your sshd_config, you are most likely not exposed. Check with:
grep -i gssapikeyexchange /etc/ssh/sshd_configSeverity
Debian classes this as a flaw allowing denial of service and, potentially, code execution. The attack surface is remote and pre-authentication, which keeps it serious even though it depends on a non-default option. Since the bug lives in a Debian/Ubuntu-specific patch, OpenSSH built from upstream sources without that addition is not affected.
Mitigation and patch
The fix is to update the openssh package:
- Debian 12 (Bookworm): fixed in
1:9.2p1-2+deb12u9. - Debian 13 (Trixie): fixed in
1:10.0p1-7+deb13u2.
The Bookworm update also rolls in fixes for CVE-2025-61984 and CVE-2025-61985, slated for the 12.14 point release.
sudo apt update && sudo apt install --only-upgrade openssh-server openssh-client
sudo systemctl restart sshIf you cannot patch right away and you do not need GSSAPI key exchange, turn off GSSAPIKeyExchange in /etc/ssh/sshd_config and restart the service. That closes the attack path until you apply the update.
For more on the distribution, see our Debian page.