Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
July 6, 2026
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Home/CyberSecurity News/OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
CyberSecurity News

OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features

Key Takeaways OpenSSH version 10.4 was released on July 6, 2026, featuring significant security updates and new functionalities. The update addresses several vulnerabilities, including issues in...

Marcus Rodriguez
Marcus Rodriguez
July 6, 2026 4 Min Read
3 0

Key Takeaways

  • OpenSSH version 10.4 was released on July 6, 2026, featuring significant security updates and new functionalities.
  • The update addresses several vulnerabilities, including issues in sftp(1), scp(1), and sshd(8), which could lead to file redirection, unauthorized file writes, and denial-of-service.
  • Critical fixes prevent malicious servers from manipulating file downloads and remote-to-remote copies, and resolve a silent truncation bug in sshd’s “internal-sftp.”
  • The release introduces experimental post-quantum cryptography support and enhances security hardening through stricter protocol enforcement and seccomp sandbox behavior.
  • Users are strongly advised to update to OpenSSH 10.4 to mitigate identified security risks and leverage new features.

OpenSSH 10.4: Major Security Overhaul and Post-Quantum Readiness

OpenSSH, the ubiquitous suite of secure networking utilities, rolled out version 10.4 on July 6, 2026. This significant update delivers a suite of security patches, reinforces protocol integrity, and introduces preliminary support for post-quantum cryptography, making it a crucial release for system administrators and security professionals. The official OpenSSH website provides access to the new packages through various mirrors.

Table Of Content

  • Key Takeaways
  • OpenSSH 10.4: Major Security Overhaul and Post-Quantum Readiness
  • Core Security Vulnerabilities Addressed
  • Enhanced Protocol Hardening and Breaking Changes
  • Post-Quantum Cryptography and Performance Improvements
  • What You Should Do

Core Security Vulnerabilities Addressed

The 10.4 release targets several critical vulnerabilities across its core components. In sftp(1), a flaw has been patched that previously allowed malicious servers to redirect downloaded files to unintended locations when users executed command-line operations such as “sftp host:/path .”. Similarly, scp(1) received a fix to prevent hostile servers from writing files outside the designated target directory during remote-to-remote file transfer operations.

The sshd(8) daemon also received attention, with fixes for a silent truncation bug in its “internal-sftp” component. This bug could inadvertently discard security-relevant options beyond the ninth command-line argument. Furthermore, corrections were implemented to properly enforce minimum authentication delays, a security measure that the Orange Cyberdefense Vulnerability Team had identified as being bypassable in prior versions.

Other important security enhancements include a resolution for a pre-authentication denial-of-service vulnerability linked to GSSAPIAuthentication. A client-side use-after-free bug in ssh(1), which could be triggered if a server altered its host key mid-session, was also fixed, thanks to reporting by researcher Zhenpeng (Leo) Lin.

Enhanced Protocol Hardening and Breaking Changes

OpenSSH 10.4 introduces several changes designed to strengthen its overall security posture, some of which may impact existing configurations. The transport protocol now enforces stricter behavior, disconnecting peers that transmit non-KEX messages during a post-authentication key re-exchange. This closes a previously exploitable gap where malicious peers could exhaust system memory by buffering extraneous messages.

For Linux environments, seccomp sandbox failures are now treated as fatal errors rather than merely logged events. This change mandates that systems lacking the necessary kernel features must explicitly disable sandboxing during the build process. Additionally, the sshd -G configuration dump mode now outputs directives in mixed-case, a cosmetic yet potentially breaking change for automated scripts that rely on specific output formatting.

Post-Quantum Cryptography and Performance Improvements

A headline feature of this release is the experimental inclusion of a composite post-quantum signature scheme. This scheme combines ML-DSA 44 and Ed25519, adhering to the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification. It is important to note that this feature is not enabled by default and requires explicit configuration, along with keys generated using “ssh-keygen -t mldsa44-ed25519.”

Beyond security and new protocols, performance also sees an upgrade. Both ssh(1) and sshd(8) now utilize an NFA-based wildcard pattern matcher. This eliminates exponential worst-case performance issues that plagued the previous implementation, leading to more efficient processing.

The release also incorporates numerous general bug fixes, including corrections for FIDO token key downloads, out-of-bounds read fixes within sftp(1), and a significant refactoring of sshd_config parsing for improved privilege-separation serialization. Enhanced bounds checking in cryptographic signing code further contributes to the robustness of the suite.

Portability updates ensure fmt_scaled.c and getrrsetbyname.c are synchronized with OpenBSD upstream, and several memory leaks identified in error paths have been patched.

Source packages are available as openssh-10.4.tar.gz and openssh-10.4p1.tar.gz. Both can be verified using SHA1 and base64-encoded SHA256 checksums, with signing keys distributed via official mirror sites.

What You Should Do

  • Immediately Update: System administrators and users should prioritize updating all OpenSSH installations to version 10.4 to patch critical vulnerabilities.
  • Review Configurations: Be aware of potentially incompatible changes, particularly regarding seccomp sandbox failures and the sshd -G output format. Adjust automation scripts and build processes as necessary.
  • Consider Post-Quantum Cryptography: For organizations preparing for post-quantum security, begin experimenting with the new ML-DSA 44 and Ed25519 composite signature scheme in non-production environments.
  • Verify Downloads: Always verify the integrity of downloaded packages using the provided SHA1 and SHA256 checksums and signing keys from official mirror sites.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackPatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely

Next Post

SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
FIFA World Cup Hype Used by Hackers to Steal PII and Payment Details
July 6, 2026
Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us