OpenSSH 10.4 Patches Memory Exhaustion and Host Key Flaw

The new release closes a remote memory exhaustion attack vector and adds experimental post quantum signature support while breaking some automation scripts with configuration output changes.

CSBadmin
2 Min Read

Security Improvements and Vulnerability Patches

The OpenSSH project released version 10.4 on July 6, 2026, addressing several security vulnerabilities across its core components. A flaw in sftp(1) could allow a malicious server to redirect downloaded files to unintended locations during command line operations. The scp(1) utility received a fix to prevent rogue servers from writing files outside the target directory during remote to remote copy operations. The sshd(8) daemon was patched to correct a silent truncation bug in the internal SFTP subsystem that could discard critical security options beyond the ninth command line argument. The Orange Cyberdefense Vulnerability Team contributed fixes that enforce minimum authentication delays which were previously bypassable.

Post Quantum Cryptography and Protocol Hardening

OpenSSH 10.4 introduces experimental support for a composite post quantum signature scheme that combines ML-DSA 44 with Ed25519, following the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification. This feature requires explicit configuration and key generation and is not enabled by default. The transport protocol now disconnects peers sending non key exchange messages during post authentication re exchange, closing a vector that allowed malicious peers to exhaust memory through buffered messages. On Linux systems, seccomp sandbox failures are now treated as fatal errors rather than simple log entries, forcing explicit build time configuration for systems lacking these kernel features.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.