Am I affected by OpenSSH security flaw CVE-2026-35414?
Damien Miller
djm at mindrot.org
Thu Apr 30 02:34:24 AEST 2026
On Wed, 29 Apr 2026, Turritopsis Dohrnii Teo En Ming via openssh-unix-dev wrote:
> Subject: Am I affected by OpenSSH security flaw CVE-2026-35414?
>
> Good day from Singapore,
>
> I refer to the following article.
>
> Article: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
> Link: https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/
> Date of article: 27 Apr 2026
>
> I don't use SSL certificates to login to SSH server. Am I affected by this security flaw?
The problem doesn't relate to SSL certificates, but to SSH certificates.
If you don't use either then you're not affected.
Furthermore, I don't think _anyone_ will be affected by this problem.
For a start, using certificates via authorized_keys is relatively rare
(compared to via sshd_config TrustedUserCAKeys). Using certificates
via authorized_keys with multiple principals is rarer still.
But most significantly, exploitation requires finding a trusted CA
that will issue a certificate with an attacker-controlled principal
name should *never* happen. Controlling what goes in the principals
section of a certificate is literally the CA's most important job.
-d
More information about the openssh-unix-dev
mailing list