IRONSMITHINTEL
CRITICALCVSS8.1
|CISA KEV|CVE-2024-6387|Auth: none — unauthenticated|Reboot: not required|Est. 15 minutes (service restart only)|Manual only

OpenSSH < 9.8p1

A signal handler race condition in OpenSSH server allows unauthenticated RCE as root on Linux systems. Update OpenSSH to 9.8p1 immediately — over 14 million internet-exposed SSH servers were potentially vulnerable at disclosure.

Published Jul 1, 2024 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An unauthenticated attacker who can reach port 22 can achieve root code execution on the target Linux system. This is a critical severity vulnerability in one of the most widely deployed services on the internet. Exploitation is probabilistic and requires many thousands of connection attempts, but automated tools make this practical.

How the attack works

OpenSSH's sshd has a race condition in signal handling. When a client does not authenticate within the LoginGraceTime window (default 120 seconds), sshd calls SIGALRM. The signal handler calls async-signal-unsafe functions (malloc/free/syslog) that can be exploited by racing the SIGALRM against memory allocation to achieve heap corruption and remote code execution as root.

Am I affected?Quick check

Probably yes if any of these apply:

Linux/Unix Administrators
Server Administrators
IT Security
Running OpenSSH 8.5p1 through 9.7p1 on glibc-based Linux systems
Fixed inOpenSSH 9.8p1
Real-world incidentsWhat we've seen

Qualys researchers discovered and disclosed regreSSHion on July 1, 2024. Over 14 million OpenSSH instances were estimated to be internet-exposed and potentially vulnerable. While exploitation is probabilistic and time-consuming, the researchers successfully exploited it in a lab environment. The name "regreSSHion" reflects that CVE-2006-5051 (a similar bug) was reintroduced by a regression in 2020.

How to patch

Manual remediation steps

15 minutes (service restart only)

Check OpenSSH Version

ssh -V
# Or:
OpenSSH_9.7p1 Ubuntu-9.7p1+dfsg-... (example)

Immediate Mitigations (if patching delayed)

# Option 1: Set LoginGraceTime to 0 in /etc/ssh/sshd_config
# (disables the vulnerable code path — but removes the timeout)
echo "LoginGraceTime 0" >> /etc/ssh/sshd_config
systemctl reload sshd

# Option 2: Rate-limit SSH connections at the firewall
# (reduces exposure but does not eliminate it)

Update OpenSSH

# Debian/Ubuntu:
apt update && apt install openssh-server

# RHEL/CentOS/AlmaLinux:
dnf update openssh-server

# Or compile from source:
# wget https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz

Verify

ssh -V
# Must show OpenSSH_9.8p1 or later
sshd -V
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-6387NVD