Ubuntu USN · USN-8222-1

OpenSSH vulnerabilities

Published: Wed, 29 Apr 2026 12:10

CVE-2026-35414CVE-2026-35387CVE-2026-35386CVE-2026-35388CVE-2026-35385

Summary

Several security issues were fixed in OpenSSH.

Details

Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly handled the legacy scp protocol (-O) option. This could result in certain files being installed setuid or setgid, contrary to expectations. (CVE-2026-35385) Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell metacharacters in usernames within a command line. When untrusted usernames and non-default configurations using % in ssh_config are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2026-35386) Christos Papakonstantinou discovered that OpenSSH incorrectly handled parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms options. This could result in unintended ECDSA algorithms being used, contrary to expectations. (CVE-2026-35387) Michalis Vasileiadis discovered that OpenSSH incorrectly handled proxy-mode multiplexing sessions. This could result in no confirmation being asked, contrary to expectations. (CVE-2026-35388) Vladimir Tokarev discovered that OpenSSH incorrectly handled certificates with the principal name containing a comma character when using user-trusted CA keys in authorized_keys and an authorized_keys principals="" option that lists more than one principal. This could result in inappropriate principal matching, contrary to expectations. (CVE-2026-35414)

Recommended actions per Ubuntu release

StackPatch playbook auto-generated per release codename and per affected package.

Ubuntu jammy

openssh→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-client→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-server→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-sftp-server→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-sftp-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-tests→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-tests
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh-askpass-gnome→1:8.9p1-3ubuntu0.15apt_upgrade
Standard apt upgrade. Install 1:8.9p1-3ubuntu0.15 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh-askpass-gnome
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu noble

openssh→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-client→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-server→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-sftp-server→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-sftp-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-tests→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-tests
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh-askpass-gnome→1:9.6p1-3ubuntu13.16apt_upgrade
Standard apt upgrade. Install 1:9.6p1-3ubuntu13.16 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh-askpass-gnome
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu questing

openssh→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-client→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-client-gssapi→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client-gssapi
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-server→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-server-gssapi→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-server-gssapi
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-sftp-server→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-sftp-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-tests→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-tests
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh-askpass-gnome→1:10.0p1-5ubuntu5.4apt_upgrade
Standard apt upgrade. Install 1:10.0p1-5ubuntu5.4 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh-askpass-gnome
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu resolute

openssh→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-client→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-client-gssapi→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client-gssapi
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-server→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-server-gssapi→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-server-gssapi
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-sftp-server→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-sftp-server
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssh-tests→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-tests
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
ssh-askpass-gnome→1:10.2p1-2ubuntu3.2apt_upgrade
Standard apt upgrade. Install 1:10.2p1-2ubuntu3.2 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y ssh-askpass-gnome
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Are YOU affected by USN-8222-1?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8222-1 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →