StackPatch is liveSee product

Back to StackPatch
USN-8222-1 · OpenSSH · HIGH · ubuntu noble

USN-8222-1 — OpenSSH 9.6p1 vulnerabilities (CVE-2026-35385 et al.)

Five CVEs across openssh-client, openssh-server, and openssh-sftp-server on Ubuntu 24.04 (noble). Fix shipped in 1:9.6p1-3ubuntu13.16. Standard apt upgrade, no reboot required, existing SSH sessions survive the package swap.

Fix command (one-liner)
sudo apt-get update
sudo apt-get install --only-upgrade -y openssh-client openssh-server openssh-sftp-server

Verify post-upgrade with dpkg -l openssh-server | grep ^ii — version should be 1:9.6p1-3ubuntu13.16 or higher. No daemon restart needed for the apt upgrade; it handles sshd restart safely without dropping your active session.

CVEs covered by USN-8222-1

CVE-2026-35385

OpenSSH scp legacy protocol (-O) installs files setuid/setgid

CVE-2026-35386

OpenSSH ProxyCommand shell metacharacter expansion

CVE-2026-35387

Username metacharacter handling in command-line config

CVE-2026-35388

Information disclosure via verbose-mode error path

CVE-2026-35414

Heap overflow in legacy keepalive handling

See the upstream notice at ubuntu.com/security/notices/USN-8222-1 for full per-CVE detail.

Check if you're affected (5 seconds)

StackPatch quickscan reads your distro / kernel / installed packages and tells you if USN-8222-1 (and any other live USN / DSA CVE) applies.

curl https://mindsparkstack.com/scan.sh | bash

Source rendered as text/plain at /scan.sh so you can read before piping. Anonymous, no signup.

Form-based quickscan Cached USN raw record

Why this matters even if you patched

OpenSSH bugs are particularly nasty because they're on the network-facing side of every Linux box. CVE-2026-35385 (the scp setuid/setgid issue) is the showstopper — under specific conditions, files copied via legacy scp protocol could end up with elevated privilege bits, opening the door to local privilege escalation through a separate exploit chain.

The other four CVEs are individually less severe but each one increases the attack surface for an authenticated user to influence the OpenSSH server's behavior. Patching them as a bundle (which is what the apt upgrade does) closes the cluster.

Continuous monitoring beats manual checking

USN-8222-1 dropped silently in your distro's update channel. If you're not running apt list --upgradable daily, you missed it. StackPatch runs the matcher hourly against the live USN feed and emails you when a patched version exists for one of your servers. $99 lifetime, 50 founder seats, refund within 30 days.

See StackPatch ($99 lifetime) See our own audit (we patched USN-8222-1)