CVE-2023-38408

Published Jul 20, 2023

Last updated 2 years ago

CVSS critical 9.8
Ubuntu
SSH
Port (22)

Overview

Description
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Source
cve@mitre.org
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

nvd@nist.gov
CWE-428
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-428

Social media

Hype score
Not currently trending

  1. MOXA 産業用スイッチに致命的な脆弱性(CVE-2023-38408) https://t.co/EvC1vfFu1e

    @cybersecnews_jp

    15 Jan 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. MOXA 産業用スイッチに致命的な脆弱性(CVE-2023-38408) https://t.co/1czEefTLYb #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    15 Jan 2026

    108 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. I just completed CVE-2023-38408 room on TryHackMe! Learn how to move laterally abusing libraries' side effects in Ubuntu (CVE-2023-38408). https://t.co/1qDWmzImzx #tryhackme via @tryhackme

    @Saffi_Nawaz

    14 Jan 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. I did "CVE-2023-38408" for my 831st @tryhackme room! This one was pretty wild I am still working on it and trying to understand it better. https://t.co/7Z0PtCmM6q

    @NapaCorruption

    14 Jan 2026

    69 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2023-38408: OpenSSH Vulnerability in Ethernet Switches URL: https://t.co/SJIAXGpknq Classification: Critical, Solution: Official Fix, Exploit Maturity: Functional, CVSSv3.1: 9.8

    @samilaiho

    12 Jan 2026

    175 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. I just completed CVE-2023-38408 room on TryHackMe! Learn how to move laterally abusing libraries' side effects in Ubuntu (CVE-2023-38408). https://t.co/wg0M4YUTKn #tryhackme via @tryhackme

    @Shyam48973Yadav

    12 Jan 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 CVE-2023-38408: Critical OpenSSH ssh-agent flaw (CVSS 9.8) allows remote code execution via malicious libraries. AccuKnox Zero Trust CNAPP & KubeArmor: -Block unauthorized library loads in real time -Monitor SSH activity & detect anomalies -Contain lateral movement

    @AccuKnox

    13 Nov 2025

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ⚠️Actualizaciones de seguridad para los productos de Juniper ❗CVE-2023-38408 ❗CVE-2024-47538 ❗CVE-2019-12900 ❗CVE-2025-59964 ➡️Más info: https://t.co/rHxl8RhXIn https://t.co/2wT2YyImtU

    @CERTpy

    13 Oct 2025

    113 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. [https://t.co/PIEOWDc22Z 94.152.58.192] dalej 94.152.152.228 TCP 22 CVE-2023-38408, CVE-2023-28531 Znowu na dnie Wisły? https://t.co/WEMEb4S9jT https://t.co/9cK0kwRKjO https://t.co/6cAggkhBv9

    @KulinskiArkadi

    3 Sept 2025

    76 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. VGT INTERNET https://t.co/WDRryJO1q7 94.152.39.1 CVE-2023-38408 CVE-2023-28531 https://t.co/y7iFul3pRo https://t.co/xTYoUPMCMG

    @KulinskiArkadi

    14 May 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. GitHub - TX-One/CVE-2023-38408: CVE-2023-38408 SSH Vulnerability Scanner & PoC https://t.co/QsjlE8eMT5

    @akaclandestine

    19 Apr 2025

    1030 Impressions

    0 Retweets

    8 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  12. https://t.co/fpKSbL0UyR Day 15 of learning &exploiting cve-2023-38408 on #tryhackme for #cybersecurity

    @hiro001_gofone

    27 Feb 2025

    27 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2023-38408 how to. https://t.co/EWujmRnigu https://t.co/eZsJX5HBo8

    @secharvesterx

    22 Feb 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.CVE-2026-41651
  2. A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.CVE-2026-1584
  3. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  4. In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.CVE-2026-35535
  5. OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.CVE-2026-35414

References

Sources include official advisories and independent security research.