CVE-2026-35388 Overview
CVE-2026-35388 is a vulnerability in OpenSSH versions prior to 10.3 that involves the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. This security weakness allows potential manipulation of SSH connection multiplexing behavior, which could enable unauthorized channel establishment in specific proxy configurations.
Critical Impact
OpenSSH proxy-mode multiplexing sessions may proceed without proper confirmation, potentially allowing unauthorized connection multiplexing in environments that rely on explicit session validation.
Affected Products
- OpenSSH versions before 10.3
- OpenSSH portable versions before 10.3p1
- Systems using SSH connection multiplexing with proxy mode
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-35388 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-35388
Vulnerability Analysis
This vulnerability is classified under CWE-420 (Unprotected Alternate Channel), which describes a weakness where an application does not adequately protect all communication channels. In the context of OpenSSH, the proxy-mode multiplexing functionality allows multiple SSH sessions to share a single TCP connection. However, versions prior to 10.3 fail to implement proper confirmation mechanisms when establishing these multiplexed sessions through proxy mode.
The vulnerability requires local access and user interaction to exploit, with high attack complexity. While the integrity impact is limited and there is no direct confidentiality or availability impact, the missing confirmation step could allow an attacker with local system access to manipulate SSH multiplexing behavior in specific configurations.
Root Cause
The root cause stems from insufficient validation in the connection multiplexing confirmation process for proxy-mode sessions. When OpenSSH operates in proxy multiplexing mode, it should verify that the multiplexing request is legitimate before establishing the additional channel. The affected versions omit this critical confirmation step, creating a potential security gap in the channel establishment process.
Attack Vector
The attack vector is local, requiring the attacker to have access to the same system where the SSH client is operating. The attacker must also rely on user interaction and specific timing conditions (high complexity) to exploit this vulnerability. A successful attack could potentially allow unauthorized establishment of multiplexed connections, though the impact is limited to integrity concerns without direct data exfiltration or service disruption capabilities.
The exploitation scenario involves manipulating the multiplexing control socket when a legitimate user initiates an SSH connection with proxy-mode multiplexing enabled. Without proper confirmation, malicious multiplexing requests could be processed alongside legitimate ones.
Detection Methods for CVE-2026-35388
Indicators of Compromise
- Unexpected SSH multiplexing sessions appearing in connection logs
- Unusual activity on SSH control sockets (typically located in /tmp or user-specified paths)
- Multiple SSH channels being established without corresponding user commands
Detection Strategies
- Monitor SSH client configurations for ControlMaster and ControlPath settings that enable multiplexing
- Audit SSH connection logs for anomalous multiplexing behavior
- Implement file integrity monitoring on SSH control socket directories
Monitoring Recommendations
- Enable verbose SSH logging (LogLevel VERBOSE) to capture detailed connection multiplexing events
- Monitor for unexpected processes interacting with SSH control sockets
- Implement endpoint detection to identify unauthorized access to user SSH configurations
How to Mitigate CVE-2026-35388
Immediate Actions Required
- Upgrade OpenSSH to version 10.3 or later
- Review SSH client configurations for proxy-mode multiplexing usage
- Audit systems where SSH connection multiplexing is enabled with proxy mode
Patch Information
The vulnerability is addressed in OpenSSH version 10.3 and OpenSSH portable version 10.3p1. Organizations should upgrade to these versions or later to remediate this vulnerability. Detailed release information is available in the OpenSSH Release Notes 10.3p1.
Additional technical discussion can be found on the OpenSSH Mailing List and the Openwall OSS-Security Discussion.
Workarounds
- Disable SSH connection multiplexing by setting ControlMaster no in SSH client configuration
- If multiplexing is required, avoid using proxy mode until patched versions are deployed
- Restrict permissions on SSH control socket directories to prevent unauthorized access
# Disable SSH connection multiplexing in client configuration
# Add to ~/.ssh/config or /etc/ssh/ssh_config
Host *
ControlMaster no
ControlPath none
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
