This update addresses three OpenSSH vulnerabilities: CVE-2026-3497, a GSSAPI Key Exchange flaw allowing denial of service or RCE in non-default configurations; CVE-2025-61984 (CVSS 3.6) and CVE-2025-61985 (CVSS 3.6), which involve improper handling of control/NULL characters in usernames and ssh:// URIs, respectively, potentially leading to RCE when ProxyCommand is used. The patch is provided specifically for Ubuntu 20.04 LTS as a follow-up to USN-8090-1.
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory details: Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-3497) David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61984) David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61985)