{
  "threat_severity" : "Low",
  "public_date" : "2026-04-02T16:52:53Z",
  "bugzilla" : {
    "description" : "OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage",
    "id" : "2454494",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454494"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-115",
  "details" : [ "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "A flaw was found in OpenSSH. This vulnerability allows the system to use unintended Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms. This occurs because the configuration for accepted public key algorithms is misinterpreted, leading to the use of weaker cryptographic methods than intended. This could potentially allow an attacker to compromise the confidentiality of data." ],
  "statement" : "The cipher choices which may be used as a result of this flaw may provide fewer bits of security than those configured by the user, however they are all still considered cryptographically secure. Users who work in regulated environments may however find themselves using ciphers which are not approved in their regulatory environment.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13380",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "openssh-0:9.9p1-14.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19069",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "openssh-0:9.9p1-23.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12389",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "openssh-0:9.9p1-7.el10_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13383",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "openssh-0:8.0p1-29.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13383",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssh-0:8.0p1-29.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13381",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-49.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19219",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssh-0:9.9p1-7.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13381",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-49.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19219",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssh-0:9.9p1-7.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16059",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "openssh-0:8.7p1-45.el9_6.3"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14937",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-server-rhel9:1778101579"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-35387\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35387\nhttps://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2\nhttps://www.openssh.org/releasenotes.html#10.3p1\nhttps://www.openwall.com/lists/oss-security/2026/04/02/3" ],
  "name" : "CVE-2026-35387",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}