1. Ubuntu Security Notices
  2. USN-8222-1

USN-8222-1: OpenSSH vulnerabilities

Publication date

29 April 2026

Overview

Several security issues were fixed in OpenSSH.

Releases

Packages

  • openssh - secure shell (SSH) for secure access to remote machines

Details

Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)

Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)

Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintended ECDSA algorithms being used,
contrary to expectations. (CVE-2026-35387)

Michalis Vasileiadis discovered...

Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)

Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)

Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintended ECDSA algorithms being used,
contrary to expectations. (CVE-2026-35387)

Michalis Vasileiadis discovered that OpenSSH incorrectly handled
proxy-mode multiplexing sessions. This could result in no confirmation
being asked, contrary to expectations. (CVE-2026-35388)

Vladimir Tokarev discovered that OpenSSH incorrectly handled certificates
with the principal name containing a comma character when using user-trusted
CA keys in authorized_keys and an authorized_keys principals="" option
that lists more than one principal. This could result in inappropriate
principal matching, contrary to expectations. (CVE-2026-35414)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
26.04 LTS resolute openssh-client –  1:10.2p1-2ubuntu3.2
openssh-server –  1:10.2p1-2ubuntu3.2
25.10 questing openssh-client –  1:10.0p1-5ubuntu5.4
openssh-server –  1:10.0p1-5ubuntu5.4
24.04 LTS noble openssh-client –  1:9.6p1-3ubuntu13.16
openssh-server –  1:9.6p1-3ubuntu13.16
22.04 LTS jammy openssh-client –  1:8.9p1-3ubuntu0.15
openssh-server –  1:8.9p1-3ubuntu0.15

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›