CVE Catalog

CVE-2026-39832

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

A vulnerability in OpenSSH causes constraint extensions such as [email protected] not to be serialized in the request when adding a key to a remote agent. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host.

Risk Assessment

The organization is at risk of unauthorized access to remote systems because forwarded SSH keys may be used without destination restrictions, potentially leading to privilege escalation or uncontrolled access to critical resources.

Recommendation

Immediately update OpenSSH to a version that fixes the serialization of constraint extensions and modifies the NewKeyring() function to reject keys with unsupported extensions. After the update, regenerate and redeploy SSH keys.

Original NVD description (English source)

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS