Red Hat Product Errata RHSA-2026:12389 - Security Advisory Issued: 2026-04-30 Updated: 2026-04-30 RHSA-2026:12389 - Security Advisory Overview Updated Packages Synopsis Important: openssh security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for openssh is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es): OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode (CVE-2026-35385) OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option (CVE-2026-35414) OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage (CVE-2026-35387) OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions (CVE-2026-35388) OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username (CVE-2026-35386) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2454469 - CVE-2026-35385 OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode BZ - 2454490 - CVE-2026-35414 OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option BZ - 2454494 - CVE-2026-35387 OpenSSH: OpenSSH: Information disclosure due to unintended cryptographic algorithm usage BZ - 2454500 - CVE-2026-35388 OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions BZ - 2454506 - CVE-2026-35386 OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username CVEs CVE-2026-35385 CVE-2026-35386 CVE-2026-35387 CVE-2026-35388 CVE-2026-35414 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM openssh-9.9p1-7.el10_0.3.src.rpm SHA-256: 134d53892803d62c9e7483e8db50bcfbad08377fd044afef20bf1ff3d8d88013 x86_64 openssh-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 042e695bc12f3fc31bd9fbb6d5b775519975af4ac3208c4f4647fdbbaadfff71 openssh-askpass-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 6b7da0b052c8e1f2babdf531d6cba93a326703421b8752e0fe57d0e2f44344ff openssh-askpass-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 2fba8dbefdb47fbbcce041dc1480dab3d45e092261f1c82a3217e733a08a659b openssh-askpass-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 2fba8dbefdb47fbbcce041dc1480dab3d45e092261f1c82a3217e733a08a659b openssh-clients-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: ac62a5c80957f0a9f6ff21ff2ab27d09235530aed41008e4bc1d480662f23b8f openssh-clients-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 38f5b1a180073ebc23c2ea08a09bf6c7f9575bb84f3ef167fe820aa6a5df7a43 openssh-clients-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 38f5b1a180073ebc23c2ea08a09bf6c7f9575bb84f3ef167fe820aa6a5df7a43 openssh-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 4585ecde30d20ca5b14e1db46d4c1e42ea42fd938d067134455b4f59c3172862 openssh-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 4585ecde30d20ca5b14e1db46d4c1e42ea42fd938d067134455b4f59c3172862 openssh-debugsource-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: dfe6e99711de8aa1cdc07cb5c6a7d91e2d92f85a68ce69f5194136fd98cc9a14 openssh-debugsource-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: dfe6e99711de8aa1cdc07cb5c6a7d91e2d92f85a68ce69f5194136fd98cc9a14 openssh-keycat-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 0ef129248df7cf54e97d57fc3fc388dbbca9a83b3e6d818fd6af9c999cb779b4 openssh-keycat-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 880a9d3ca568febd5d326b9d5503c4d3dec581e1b2e09cb230dc47235289470d openssh-keycat-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 880a9d3ca568febd5d326b9d5503c4d3dec581e1b2e09cb230dc47235289470d openssh-keysign-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 5c435fea2de3ff24f2087595d1a289ba37624597b88f3693d1eef4ff8b0dcdd9 openssh-keysign-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 6c4069324ce0f303b4a2c339b71a112367e2fa7702ac7de97a4f6696fae0630d openssh-keysign-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 6c4069324ce0f303b4a2c339b71a112367e2fa7702ac7de97a4f6696fae0630d openssh-server-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: 3d218b8d25f874617e02330beea2b5f35fd9a9a4bf982d9364bfa54d0bd9d020 openssh-server-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: af888a6b6468312ccf095fd60be7810865eb9a41988b49810c32cb14bbee7eb8 openssh-server-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: af888a6b6468312ccf095fd60be7810865eb9a41988b49810c32cb14bbee7eb8 openssh-sk-dummy-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: e2a185e086f64021b07c8cffbce1531c29ec17690c954eb831de46dfd125afee openssh-sk-dummy-debuginfo-9.9p1-7.el10_0.3.x86_64.rpm SHA-256: e2a185e086f64021b07c8cffbce1531c29ec17690c954eb831de46dfd125afee Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM openssh-9.9p1-7.el10_0.3.src.rpm SHA-256: 134d53892803d62c9e7483e8db50bcfbad08377fd044afef20bf1ff3d8d88013 s390x openssh-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 3a612c55aedc0c55e4651b8f62e1ff620e05270cca6baa986dedc205093b415b openssh-askpass-9.9p1-7.el10_0.3.s390x.rpm SHA-256: e44a11766e28a4d65600acd112d88cfab1996081c8b39bea343fc0b8a8ec5b6f openssh-askpass-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: c0e94a15b0d39e78925340b3f1180df9d95aff20df687ce868f47786dba883b7 openssh-askpass-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: c0e94a15b0d39e78925340b3f1180df9d95aff20df687ce868f47786dba883b7 openssh-clients-9.9p1-7.el10_0.3.s390x.rpm SHA-256: d6c606bc64517ae52fa3e528344c9b479a37d6216e884a829fa1f16aaa97575f openssh-clients-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 89f7b4a1d366717fe3fc2fd4bee85dc57a523b911de0bc247c779745a6c73df5 openssh-clients-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 89f7b4a1d366717fe3fc2fd4bee85dc57a523b911de0bc247c779745a6c73df5 openssh-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 3133216094ee383689c2344507d882878799cdc1c868f2dcbca1844c8ce9a444 openssh-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 3133216094ee383689c2344507d882878799cdc1c868f2dcbca1844c8ce9a444 openssh-debugsource-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 97de734872a4a4ae35ca3420fba07c472f425cd8d7bd15db03c2c18dde398274 openssh-debugsource-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 97de734872a4a4ae35ca3420fba07c472f425cd8d7bd15db03c2c18dde398274 openssh-keycat-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 4efcab2650c203040d089dc1d6cb384ae10dd8f5a1166443ac7fe9b4d056555f openssh-keycat-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 43a0e3ae10b899d93e3d740652cbcab8f9d8b5f391dec4d1ca98d6caa55fa55e openssh-keycat-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 43a0e3ae10b899d93e3d740652cbcab8f9d8b5f391dec4d1ca98d6caa55fa55e openssh-keysign-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 7df5ce14b1a5b23263a64b8e014ae003971b9f9db0c220249ac6fe10d9eb78a7 openssh-keysign-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 070a444f22b2e7fe8c0a4479e4c12326a7c3188cac5acd4a18301dbf4bda3eff openssh-keysign-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 070a444f22b2e7fe8c0a4479e4c12326a7c3188cac5acd4a18301dbf4bda3eff openssh-server-9.9p1-7.el10_0.3.s390x.rpm SHA-256: baf48747e6a935041b5099d2a278375e88e4ddd2a47dd4b3ade3bbae1ae31eb8 openssh-server-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: d558853f6e4e662b8591b34ea581b005acc4e192bded7d7cc0497ff7acc68157 openssh-server-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: d558853f6e4e662b8591b34ea581b005acc4e192bded7d7cc0497ff7acc68157 openssh-sk-dummy-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 6ba33f2e46f52e535b1302a702abd30129f0043961ff1b45c40dcda6a49bd2b9 openssh-sk-dummy-debuginfo-9.9p1-7.el10_0.3.s390x.rpm SHA-256: 6ba33f2e46f52e535b1302a702abd30129f0043961ff1b45c40dcda6a49bd2b9 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM openssh-9.9p1-7.el10_0.3.src.rpm SHA-256: 134d53892803d62c9e7483e8db50bcfbad08377fd044afef20bf1ff3d8d88013 ppc64le openssh-9.9p1-7.el10_0.3.ppc64le.rpm SHA-256: 9edb56f86b17b145e7e2159e98f78ef413a9ad265eac55ecbb7c399cbfca14ac openssh-askpass-9.9p1-7.el10_0.3.ppc64le.rpm SHA-256: ea56cea4e5fede955076518f38bda285f15bb4fec4fbdf77f63892847ed17595 openssh-askpass-debuginfo-9.9p1-7.el10_0.3.ppc64le.rpm SHA-256: 334a013af4b3bd86ea0b1b102c1506f0020ae97a906ad551efddeea980555f70 openssh-askpass-debuginfo-9.9p1-7.el10_0.3.ppc64le.rpm SHA-256: 334a013af4b3bd86ea0b1b102c1506f0020ae97a906ad551efddeea980555f70 openssh-clients-9.9p1-7.el10_0.3.ppc64le.rpm SHA-256: 71f3bbdd528b2dd976aa6b2b1543a416a5edaa6cbf3cbe0b2d7e57c40c3a23dc openssh-clients-debuginfo-9.9p1-7.el10_0.3.ppc64le.rpm SHA-256: d619a8a850ac37a46a4701c