regreSSHion (CVE-2024-6387): The Ghost of 2006 Returns for Root

Alon Barad

Software Engineer

Jan 5, 2026·5 min read·17 visits

PoC AvailableCISA KEV Listed

Executive Summary (TL;DR)

OpenSSH's `sshd` has a signal handler race condition. If a client doesn't authenticate within `LoginGraceTime` (default 120s), `SIGALRM` is raised. The handler calls `syslog()`, which is not async-signal-safe. If this interrupts a heap operation (like `free()`) in the main thread, it corrupts the heap. Attackers can win this race to gain unauthenticated root RCE.

A signal handler race condition in OpenSSH's server (sshd) on glibc-based Linux systems allows unauthenticated remote code execution as root. This is a regression of a vulnerability originally fixed in 2006 (CVE-2006-5051), reintroduced via code refactoring.

Attack Flow Diagram

Official Patches

OpenSSHOpenSSH 9.8 Release Notes

UbuntuUbuntu Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score

8.1/ 10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.10%

Top 100% most exploited

14,000,000

Estimated exposed hosts via Shodan

Affected Systems

OpenSSH 8.5p1 through 9.7p1glibc-based Linux systems (Ubuntu, Debian, CentOS, RHEL, Fedora)32-bit systems (easier to exploit)64-bit systems (harder due to ASLR)

Affected Versions Detail

Product	Affected Versions	Fixed Version
OpenSSH OpenBSD	>= 8.5p1, < 9.8p1	9.8p1

Attribute	Detail
CWE ID	CWE-364 (Signal Handler Race Condition)
CVSS v3.1	8.1 (High)
Attack Vector	Network
Privileges Required	None
User Interaction	None
Exploit Status	Proof of Concept Available