Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0948

NIXPKGS-2026-0948
published on
Permalink CVE-2026-35414
4.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 day, 16 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 8 hours ago
  • @LeSuisse ignored reference https://m… 1 day, 16 hours ago
  • @LeSuisse removed package opensshTest 1 day, 16 hours ago
  • @LeSuisse removed package openssh-askpass 1 day, 16 hours ago
  • @LeSuisse removed package perlPackages.NetOpenSSH 1 day, 16 hours ago
  • @LeSuisse removed package perl5Packages.NetOpenSSH 1 day, 16 hours ago
  • @LeSuisse removed package lxqt.lxqt-openssh-askpass 1 day, 16 hours ago
  • @LeSuisse removed package perl538Packages.NetOpenSSH 1 day, 16 hours ago
  • @LeSuisse removed package perl540Packages.NetOpenSSH 1 day, 16 hours ago
  • @LeSuisse accepted 1 day, 16 hours ago
  • @LeSuisse published on GitHub 1 day, 16 hours ago
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon …

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Affected products

OpenSSH
  • <10.3

Matching in nixpkgs

pkgs.openssh_hpn

Implementation of the SSH protocol with high performance networking patches

Ignored packages (7)

Package maintainers