Use-After-Free Vulnerability in OpenSSH Client due to Host Key Change
CVE-2026-60002

7.7HIGH

Key Information:

Vendor

OpenBSD

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-60002?

A use-after-free vulnerability exists in the OpenSSH client versions before 10.4, specifically occurring when a server modifies its host key during a key re-exchange process. This flaw particularly affects the client side, leading to potential unexpected behaviors and security implications if exploited.

Affected Version(s)

OpenSSH 0 < 10.4

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.