regreSSHion: Time Travel is Real, and It Roots Your Box
Jan 5, 2026·5 min read·1 visit
Executive Summary (TL;DR)
OpenSSH's `sshd` has a race condition in its `SIGALRM` handler. If a client doesn't authenticate within the `LoginGraceTime` (usually 120s), the handler fires. Unfortunately, the handler calls `syslog()`, which is not async-signal-safe. If this interrupts the heap manager (malloc/free) in the main thread, heap corruption occurs. Attackers can exploit this to gain unauthenticated root access, though it takes ~10,000 attempts (6-8 hours) on average.
A signal handler race condition in OpenSSH's sshd allows unauthenticated remote code execution as root on glibc-based Linux systems. This is a regression of a vulnerability originally fixed in 2006, proving that history doesn't just repeat itself—it recompiles.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenSSH OpenBSD Foundation | >= 8.5p1, < 9.8p1 | 9.8p1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-364 |
| Attack Vector | Network (AV:N) |
| Impact | Root RCE |
| CVSS v3.1 | 8.1 (High) |
| Exploit Status | PoC Available / Complex |
| Complexity | High (AC:H) |
MITRE ATT&CK Mapping
Signal Handler Race Condition causing memory corruption