{
  "threat_severity" : "Low",
  "public_date" : "2026-04-02T16:44:27Z",
  "bugzilla" : {
    "description" : "OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username",
    "id" : "2454506",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454506"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "A flaw was found in OpenSSH. This vulnerability allows a remote attacker to achieve arbitrary command execution by injecting shell metacharacters into a username provided on the command line. Exploitation requires an untrusted username and a non-default configuration of the '%' character in `ssh_config`." ],
  "statement" : "Red Hat products do not ship in a configuration which is subject to this vulnerability. Additionally, the impact of the command execution is limited to the scope of the specific user account which users would need to create themselves.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13380",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "openssh-0:9.9p1-14.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19069",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "openssh-0:9.9p1-23.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12389",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "openssh-0:9.9p1-7.el10_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13383",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "openssh-0:8.0p1-29.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13383",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssh-0:8.0p1-29.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13381",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-49.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19219",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssh-0:9.9p1-7.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13381",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-49.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19219",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssh-0:9.9p1-7.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16059",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "openssh-0:8.7p1-45.el9_6.3"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14937",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-server-rhel9:1778101579"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-35386\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35386\nhttps://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2\nhttps://www.openssh.org/releasenotes.html#10.3p1\nhttps://www.openwall.com/lists/oss-security/2026/04/02/3" ],
  "name" : "CVE-2026-35386",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}