External risk intelligence

OpenSSH Use-After-Free During Host Key Re-exchange

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-60002

The vulnerability occurs only on the client side during an SSH key re-exchange. As a client-side process, it is not an internet-facing service or listener and does not provide an externally reachable attack surface in common deployments.

Use After Free

Openbsd Openssh

before 10.4

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in OpenSSH that could allow for the misuse of memory on the client side when a server changes its host key during a key re-exchange. While the direct impact on externally facing services is unlikely, understanding the potential for client-side compromise is important for overall system security.

  • Memory misuse issue in SSH clients.
  • Confirms relevance and potential client-side exposure.
  • Assess risk to client systems and data.

Attack Path

How an attacker could exploit the issue

An attacker could trigger a vulnerability in SSH if a server unexpectedly changes its host key while a client is reconnecting. This could allow them to compromise the client.

  • Requires a specific server action during connection.
  • Triggered by host key re-exchange on client.
  • Risk of client compromise and data loss.

Live Threat

Current exploitation, exposure, and threat context

When an SSH server changes its host key during a key re-exchange, a client-side use-after-free vulnerability could occur. This may affect the confidentiality and integrity of data processed by the SSH client, and could potentially lead to a denial-of-service condition for the client.

  • Client session data integrity.
  • Use-after-free on key re-exchange.
  • Client may crash or leak sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given that the vulnerability affects OpenSSH clients, ownership likely falls to teams managing server infrastructure and client endpoints. The first practical step involves identifying all systems running affected OpenSSH versions, assessing their exposure, and confirming business criticality to prioritize remediation efforts with the appropriate accountable owner.

  • Infrastructure or Platform teams should own the issue.
  • Verify all client-side OpenSSH deployments.
  • Plan upgrades during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenSSH and where is it used?

OpenSSH is a suite of secure networking tools used for remote login and data transfer. It is widely installed on Linux, Unix, and macOS systems to provide encrypted communication between a client and a server. This vulnerability specifically affects the client-side component of the software, which handles outgoing connections to remote hosts.

What does use-after-free mean in CVE-2026-60002?

A use-after-free, categorized as CWE-416, is a memory management error. It happens when software continues to use a memory location after that memory has been freed or cleared. In this CVE, the flaw occurs within the OpenSSH client, potentially allowing the software to process invalid data, which can lead to system crashes or the unauthorized disclosure of sensitive information.

How is the OpenSSH vulnerability triggered?

The vulnerability is triggered only when an SSH server changes its host key during a key re-exchange process. If the client does not encounter this specific server-side action, the vulnerable code path is not activated. It does not occur during standard, stable connections where the host key remains consistent.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates that risk is very unlikely because this vulnerability is strictly a client-side issue. It does not create an internet-facing listener or service that attackers can scan for from the outside. Because the flaw relies on the client's behavior during a specific re-exchange event, it does not provide a traditional network attack surface.

What should I do if I use OpenSSH?

Your first step is to identify all endpoints and servers that act as SSH clients running versions of OpenSSH older than 10.4. Once you have an inventory, coordinate with infrastructure or platform teams to plan software upgrades. Prioritize these updates based on how critical the client systems are to your business operations.

References