CVE-2026-35387
Published Apr 2, 2026
·Updated
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
Affected Software
2 affected components
OpenSSH OpenSSH<10.3
OpenBSD OpenSSH<10.3
Event History
Apr 2, 2026
CVE Published
via MITRE·04:52 PM
Data Sourced
via MITRE·04:52 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
DescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·06:02 PM
DescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-35387?
CVE-2026-35387 is rated as a high-severity vulnerability due to its potential impact on cryptographic security.
2
How do I fix CVE-2026-35387?
To remediate CVE-2026-35387, upgrade OpenSSH to version 10.3 or later.
3
What should I know about the ECDSA algorithms in CVE-2026-35387?
CVE-2026-35387 indicates that unintended ECDSA algorithms can be used if they are improperly listed in configuration settings.
4
What versions of OpenSSH are affected by CVE-2026-35387?
OpenSSH versions prior to 10.3 are affected by CVE-2026-35387.
5
Is there a workaround for CVE-2026-35387?
A temporary workaround for CVE-2026-35387 is to review and adjust the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms settings.