CVE-2026-39832
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
A vulnerability in OpenSSH causes constraint extensions such as [email protected] not to be serialized in the request when adding a key to a remote agent. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host.
Risk Assessment
The organization is at risk of unauthorized access to remote systems because forwarded SSH keys may be used without destination restrictions, potentially leading to privilege escalation or uncontrolled access to critical resources.
Recommendation
Immediately update OpenSSH to a version that fixes the serialization of constraint extensions and modifies the NewKeyring() function to reject keys with unsupported extensions. After the update, regenerate and redeploy SSH keys.
Original NVD description (English source)
When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

