CVE-2016-1908

critical

Published 2017-04-11 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-1908

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://bugzilla.redhat.com/show_bug.cgi?id=1298741

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.openssh.com/txt/release-7.2

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-1908.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	8.0	affected
rhel	6.0	affected
rhel	7.0	affected
rhel	7.2	affected
rhel	7.3	affected
rhel	7.4	affected
rhel	7.5	affected
rhel	7.6	affected
rhel	7.7	affected
debian	bookworm	fixed	`1:7.2p1-1`
debian	bullseye	fixed	`1:7.2p1-1`
debian	forky	fixed	`1:7.2p1-1`
debian	sid	fixed	`1:7.2p1-1`
debian	trixie	fixed	`1:7.2p1-1`

Application impact

Vendor	Product	Versions	Fixed
openbsd	openssh	`{"endExcluding":"7.2"}`	`7.2`

References

CWEs

CWE-287

Verify integrity in audit chain (admin only). AS-IS.