CVE-2026-35387 Overview
OpenSSH before version 10.3 contains a configuration misinterpretation vulnerability that affects ECDSA algorithm handling. When any ECDSA algorithm is listed in the PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms configuration options, the OpenSSH server incorrectly interprets this as meaning all ECDSA algorithms are permitted. This improper control flow implementation (CWE-670) can lead to unintended cryptographic algorithm acceptance, potentially weakening the security posture of affected SSH deployments.
Critical Impact
Systems may accept ECDSA algorithms that administrators did not intend to enable, potentially allowing authentication using weaker or deprecated cryptographic curves than intended by the security policy.
Affected Products
- OpenSSH versions prior to 10.3
- OpenSSH 10.3p1 and earlier portable versions
- Systems using PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms with ECDSA entries
Discovery Timeline
- April 2, 2026 - CVE-2026-35387 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35387
Vulnerability Analysis
This vulnerability stems from improper control flow management within OpenSSH's algorithm configuration parsing logic. When administrators configure specific ECDSA algorithms in either PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms directives, the parsing mechanism fails to properly restrict the accepted algorithms to only those explicitly specified.
The root issue lies in how OpenSSH processes algorithm lists containing any ECDSA variant. Rather than treating each algorithm specification as a distinct, explicit permission, the parser incorrectly expands a single ECDSA algorithm entry to encompass the entire family of ECDSA algorithms. This behavior directly contradicts administrator intent and documented configuration semantics.
From a practical security standpoint, this could allow an attacker with access to keys using different ECDSA curves to authenticate to a server, even when the administrator specifically configured to accept only certain ECDSA variants. The network-based attack vector requires the attacker to possess valid credentials for an unintended but enabled ECDSA algorithm.
Root Cause
The vulnerability is classified under CWE-670 (Always-Incorrect Control Flow Implementation). The OpenSSH configuration parser improperly handles ECDSA algorithm specifications, failing to distinguish between individual algorithm entries and treating any ECDSA listing as a wildcard for all ECDSA algorithms. This represents a logic error in the algorithm matching and validation code path.
Attack Vector
The vulnerability is exploitable over the network with low privileges required. An attacker must possess SSH credentials (public/private key pair) using an ECDSA algorithm that was not explicitly intended to be accepted. The attack scenario requires:
- A target OpenSSH server configured with specific ECDSA algorithm restrictions
- The attacker possessing a valid user account with an ECDSA key using a different curve than intended
- Network access to the SSH service
The vulnerability allows authentication bypass of the intended cryptographic algorithm policy, though the attacker still requires valid credentials. Due to the requirement for existing credentials and specific configuration conditions, the exploitability is limited, which contributes to the lower severity classification.
Detection Methods for CVE-2026-35387
Indicators of Compromise
- Successful SSH authentications using ECDSA algorithms not explicitly listed in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms
- Authentication log entries showing unexpected ECDSA curve usage during key exchange
- SSH connections utilizing ecdsa-sha2-nistp384 or ecdsa-sha2-nistp521 when only ecdsa-sha2-nistp256 was configured (or vice versa)
Detection Strategies
- Review SSH authentication logs (/var/log/auth.log or /var/log/secure) for algorithm negotiation details
- Enable verbose SSH logging (LogLevel VERBOSE or DEBUG) to capture detailed algorithm selection information
- Audit current sshd_config files for any ECDSA algorithm entries in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms
- Compare accepted authentication algorithms against security policy requirements
Monitoring Recommendations
- Implement centralized log collection for SSH authentication events across all affected systems
- Create alerts for authentication events using ECDSA algorithms that deviate from organizational policy
- Regularly audit SSH server configurations to identify systems using ECDSA algorithm restrictions
- Monitor for SSH configuration file changes that introduce ECDSA algorithm specifications
How to Mitigate CVE-2026-35387
Immediate Actions Required
- Upgrade OpenSSH to version 10.3 or later where this issue has been resolved
- Review all SSH server configurations for PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms directives containing ECDSA entries
- If unable to upgrade immediately, consider removing all ECDSA algorithms from accepted lists if only specific curves are required
- Audit user SSH keys to identify which ECDSA curves are currently in use across the organization
Patch Information
The OpenSSH development team has addressed this vulnerability in version 10.3p1. Detailed release information is available in the OpenSSH 10.3p1 Release Notes. Additional technical discussion can be found in the OpenSSH Development Discussion and the Openwall OSS Security Mailing List.
Organizations should obtain updates through their operating system vendor's package management system or compile from source using the official OpenSSH release.
Workarounds
- Remove ECDSA algorithms entirely from PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms if strict curve control is required
- Transition to Ed25519 keys which are not affected by this algorithm expansion issue
- Implement network-level access controls to limit SSH access to trusted sources while awaiting patching
- Use certificate-based authentication with explicit algorithm constraints as an alternative authentication method
# Configuration example - Remove ECDSA algorithms until patched
# Edit /etc/ssh/sshd_config
# If you previously had ECDSA algorithms listed, remove them:
# PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
# Or upgrade to OpenSSH 10.3+ and restart sshd:
# systemctl restart sshd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
