GHSA-9C48-W39G-HM26
8.14.50%
regreSSHion: The Return of the Signal Handler Nightmare
Alon Barad
Software EngineerJan 6, 2026·5 min read·3 visits
PoC AvailableCISA KEV Listed
Executive Summary (TL;DR)
OpenSSH server (sshd) contains a race condition in its signal handling logic. By winning a race against the `LoginGraceTime` timer, an unauthenticated attacker can interrupt the heap manager in an inconsistent state, leading to heap corruption and eventual Remote Code Execution (RCE) as root. It affects default configurations of OpenSSH versions 8.5p1 through 9.7p1 on glibc-based Linux systems.
A signal handler race condition in OpenSSH's sshd allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This is a regression of a vulnerability originally fixed in 2006 (CVE-2006-5051).
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
4.50%
Affected Systems
Linux systems using glibcOpenSSH 8.5p1OpenSSH 8.6p1OpenSSH 8.7p1OpenSSH 8.8p1OpenSSH 8.9p1OpenSSH 9.0p1OpenSSH 9.1p1OpenSSH 9.2p1OpenSSH 9.3p1OpenSSH 9.4p1OpenSSH 9.5p1OpenSSH 9.6p1OpenSSH 9.7p1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenSSH OpenBSD | >= 8.5p1, < 9.8p1 | 9.8p1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-364 |
| Attack Vector | Network |
| CVSS | 8.1 (High) |
| Impact | Remote Code Execution (Root) |
| Architecture | x86 (glibc), amd64 (glibc) |
| Complexity | High (Race Condition) |
MITRE ATT&CK Mapping
CWE-364
Signal Handler Race Condition
Vulnerability Timeline
Original bug (CVE-2006-5051) patched
2006-09-28
Regression introduced in OpenSSH 8.5p1
2020-10-01
Qualys discloses CVE-2024-6387 (regreSSHion)
2024-07-01
OpenSSH 9.8p1 released with fix
2024-07-01