OpenSSH
OpenSSH is the OpenBSD Project's implementation of the SSH protocol, distributed as both the base OpenBSD version and a portable release for Linux and other Unix-like systems. The portable release appends a portability suffix (p1, p2) to the version number. This suffix has no bearing on security fix status and is stripped before version range comparison.
Querying OpenSSH
openssh9.2p1, 9.8p1, 8.9p1curl "https://api.attestd.io/v1/check?product=openssh&version=9.2p1" \
-H "Authorization: Bearer $ATTESTD_KEY"OpenSSH 9.2p1 falls within the range for CVE-2024-6387 (regreSSHion) and CVE-2023-38408. Both are remotely exploitable without authentication. The portability suffix p1 is stripped before comparison, so 9.2p1 and 9.2p2 produce the same result.
{
"product": "openssh",
"version": "9.2p1",
"supported": true,
"risk_state": "high",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "9.8p1",
"confidence": 0.89,
"cve_ids": ["CVE-2024-6387", "CVE-2023-38408"],
"last_updated": "2026-02-23T18:21:30Z"
}Portable suffix handling
OpenSSH portable releases use the format X.Yp1, X.Yp2, etc. The pN suffix represents a portability release increment (packaging changes, platform compatibility fixes) and does not correspond to a security patch level. NVD version ranges use integer dotted notation without the suffix.
Attestd strips the portable suffix before comparison. These version strings all resolve to the same risk record:
9.2p19.2p29.2Pass the version exactly as reported by ssh -V. The normalization is applied server-side.
CVE history
OpenSSH has a strong security track record relative to its exposure surface. Most significant CVEs involve the sshd daemon rather than the client. Pre-authentication vulnerabilities are rare but severe when they occur, since sshd is typically internet-exposed on every managed server.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2024-6387KEV | Race condition in the SIGALRM signal handler for sshd. An unauthenticated attacker who loses a login grace timeout race can execute arbitrary code as root on glibc-based Linux systems. The vulnerability is a regression of CVE-2006-5051. | 8.5p1 to 9.7p1 | 8.1 |
CVE-2023-38408 | Remote code execution via ssh-agent. When a user connects from a host with ssh-agent forwarding enabled to an attacker-controlled SSH server, the server can load arbitrary shared libraries into the agent process via the agent protocol. | < 9.3p2 | 9.8 |
CVE-2023-25136 | Double free in the pre-authentication sshd path. Introduced by a memory management refactor in 9.1. The practical exploitability is disputed given the memory allocator mitigations in modern systems, but the double free is confirmed. | 9.1p1 only | 6.5 |
CVE-2016-0777 | Information disclosure via roaming extension in the ssh client. The client leaks memory contents from the client heap to an attacker-controlled SSH server when the undocumented roaming feature is enabled (on by default). | 5.4 to 7.1 | 6.5 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.