OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
Key Takeaways OpenSSH version 10.4 was released on July 6, 2026, featuring significant security updates and new functionalities. The update addresses several vulnerabilities, including issues in...
Key Takeaways
- OpenSSH version 10.4 was released on July 6, 2026, featuring significant security updates and new functionalities.
- The update addresses several vulnerabilities, including issues in sftp(1), scp(1), and sshd(8), which could lead to file redirection, unauthorized file writes, and denial-of-service.
- Critical fixes prevent malicious servers from manipulating file downloads and remote-to-remote copies, and resolve a silent truncation bug in sshd’s “internal-sftp.”
- The release introduces experimental post-quantum cryptography support and enhances security hardening through stricter protocol enforcement and seccomp sandbox behavior.
- Users are strongly advised to update to OpenSSH 10.4 to mitigate identified security risks and leverage new features.
OpenSSH 10.4: Major Security Overhaul and Post-Quantum Readiness
OpenSSH, the ubiquitous suite of secure networking utilities, rolled out version 10.4 on July 6, 2026. This significant update delivers a suite of security patches, reinforces protocol integrity, and introduces preliminary support for post-quantum cryptography, making it a crucial release for system administrators and security professionals. The official OpenSSH website provides access to the new packages through various mirrors.
Table Of Content
Core Security Vulnerabilities Addressed
The 10.4 release targets several critical vulnerabilities across its core components. In sftp(1), a flaw has been patched that previously allowed malicious servers to redirect downloaded files to unintended locations when users executed command-line operations such as “sftp host:/path .”. Similarly, scp(1) received a fix to prevent hostile servers from writing files outside the designated target directory during remote-to-remote file transfer operations.
The sshd(8) daemon also received attention, with fixes for a silent truncation bug in its “internal-sftp” component. This bug could inadvertently discard security-relevant options beyond the ninth command-line argument. Furthermore, corrections were implemented to properly enforce minimum authentication delays, a security measure that the Orange Cyberdefense Vulnerability Team had identified as being bypassable in prior versions.
Other important security enhancements include a resolution for a pre-authentication denial-of-service vulnerability linked to GSSAPIAuthentication. A client-side use-after-free bug in ssh(1), which could be triggered if a server altered its host key mid-session, was also fixed, thanks to reporting by researcher Zhenpeng (Leo) Lin.
Enhanced Protocol Hardening and Breaking Changes
OpenSSH 10.4 introduces several changes designed to strengthen its overall security posture, some of which may impact existing configurations. The transport protocol now enforces stricter behavior, disconnecting peers that transmit non-KEX messages during a post-authentication key re-exchange. This closes a previously exploitable gap where malicious peers could exhaust system memory by buffering extraneous messages.
For Linux environments, seccomp sandbox failures are now treated as fatal errors rather than merely logged events. This change mandates that systems lacking the necessary kernel features must explicitly disable sandboxing during the build process. Additionally, the sshd -G configuration dump mode now outputs directives in mixed-case, a cosmetic yet potentially breaking change for automated scripts that rely on specific output formatting.
Post-Quantum Cryptography and Performance Improvements
A headline feature of this release is the experimental inclusion of a composite post-quantum signature scheme. This scheme combines ML-DSA 44 and Ed25519, adhering to the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification. It is important to note that this feature is not enabled by default and requires explicit configuration, along with keys generated using “ssh-keygen -t mldsa44-ed25519.”
Beyond security and new protocols, performance also sees an upgrade. Both ssh(1) and sshd(8) now utilize an NFA-based wildcard pattern matcher. This eliminates exponential worst-case performance issues that plagued the previous implementation, leading to more efficient processing.
The release also incorporates numerous general bug fixes, including corrections for FIDO token key downloads, out-of-bounds read fixes within sftp(1), and a significant refactoring of sshd_config parsing for improved privilege-separation serialization. Enhanced bounds checking in cryptographic signing code further contributes to the robustness of the suite.
Portability updates ensure fmt_scaled.c and getrrsetbyname.c are synchronized with OpenBSD upstream, and several memory leaks identified in error paths have been patched.
Source packages are available as openssh-10.4.tar.gz and openssh-10.4p1.tar.gz. Both can be verified using SHA1 and base64-encoded SHA256 checksums, with signing keys distributed via official mirror sites.
What You Should Do
- Immediately Update: System administrators and users should prioritize updating all OpenSSH installations to version 10.4 to patch critical vulnerabilities.
- Review Configurations: Be aware of potentially incompatible changes, particularly regarding seccomp sandbox failures and the sshd -G output format. Adjust automation scripts and build processes as necessary.
- Consider Post-Quantum Cryptography: For organizations preparing for post-quantum security, begin experimenting with the new ML-DSA 44 and Ed25519 composite signature scheme in non-production environments.
- Verify Downloads: Always verify the integrity of downloaded packages using the provided SHA1 and SHA256 checksums and signing keys from official mirror sites.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.