CVE-2026-35387 - How OpenSSH Before 10.3 Misinterprets ECDSA Algorithms (And Why That’s Dangerous)

OpenSSH is probably the most important tool when it comes to secure remote logins and file transfers. If you’re running Linux or BSD, chances are, it’s running on your machine right now. Recently, a new flaw was published and assigned CVE-2026-35387, and it has a direct impact on how OpenSSH handles ECDSA keys for authentication.

This article dives deep into what went wrong, shows practical examples, and provides all you need to patch or mitigate this issue.

What Is CVE-2026-35387?

Short summary:
OpenSSH before version 10.3 incorrectly handles ECDSA algorithms when they’re listed in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms. If you include any one ECDSA algorithm, OpenSSH acts as if *all* possible ECDSA algorithms are acceptable.

Why does it matter?
This bug accidentally expands the set of public key algorithms OpenSSH will accept, which could allow accidental or unwanted authentication methods — causing weakened security boundaries.

ecdsa-sha2-nistp521

Normally, if you specify only a single one, OpenSSH should just use that specific algorithm. However, thanks to CVE-2026-35387, if you list *any* ECDSA algorithm, OpenSSH lets in *all three*.

Why does this bug happen?
The internal handler treats the selector too broadly, effectively mis-parsing the settings.

Suppose your /etc/ssh/sshd_config contains

PubkeyAcceptedAlgorithms ecdsa-sha2-nistp384

Expected behavior:
Only client certificates of type ecdsa-sha2-nistp384 are accepted.

Actual behavior (with vulnerable versions):
Clients with keys ecdsa-sha2-nistp256 _and_ ecdsa-sha2-nistp521 are also accepted! You have less control than you thought.

`bash

echo "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp384" >> /etc/ssh/sshd_config

`bash

ssh-keygen -t ecdsa -b 521 -f ~/.ssh/ecdsa-nistp521

`bash

ssh -i ~/.ssh/ecdsa-nistp521@

Raise confusion or break compliance and auditing requirements.

Worst-case:
If you intentionally restrict algorithms to enforce stronger keys, this bug throws those controls out the window.

References

- CVE-2026-35387 at MITRE
- OpenSSH Official Site
- OpenSSH 10.3 Release Note

If you want to inspect the relevant code, check out the OpenSSH GitHub repository.

Best: Upgrade to OpenSSH 10.3 or newer.

Workaround:
Don’t rely on PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms rules alone for fine-grained ECDSA control. Consider:

Conclusion

CVE-2026-35387 is a classic example of a parsing bug with real security consequences. If you’re running OpenSSH below version 10.3 and depend on restricting accepted ECDSA key types, patch immediately!

Always double-check that your intended security boundaries are truly in effect — especially when it comes to remote access controls like SSH.


Have questions or need help? Let’s chat at OpenSSH’s mailing list. Secure your access before someone else does.

Timeline

Published on: 04/02/2026 16:52:53 UTC
Last modified on: 04/27/2026 14:05:11 UTC