OpenSSH 10.4 Fixes SFTP, SCP, and sshd Security Bugs

OpenSSH 10.4/10.4p1 fixes security bugs in sftp, scp, and sshd. Linux and Unix administrators should update and review a few configuration-sensitive cases.

OpenSSH 10.4 and 10.4p1 were released on July 6, 2026, bringing security fixes across `sftp`, `scp`, and `sshd` that matter to administrators who use SSH for server access, automation, and file transfers.[1] The update is not framed as a mass-exploitation emergency, and the project release notes did not list CVE IDs at publication time. Still, OpenSSH sits in the critical path for many Linux, Unix, BSD, macOS, and network-administration workflows, so this is a patch administrators should not leave for a vague monthly queue.

The most practical client-side fixes involve file placement during transfers. In one `sftp` case, a malicious server could cause a command-line download such as `sftp host:/path .` to land in an unexpected location. In an `scp` remote-to-remote copy case, a malicious server could write into the parent directory of the intended target.[1] Those details are easy to underplay, but they matter in build systems, jump-host workflows, support scripts, and incident-response collection jobs where operators often pull files from hosts they do not fully trust.

What administrators should check

Server-side, OpenSSH 10.4 fixes several `sshd` behaviors that depend on configuration. The built-in `internal-sftp` server, which is not the default, could silently drop arguments after the ninth entry on long command lines, potentially discarding a security-relevant option placed later in the line. Another fix makes `DisableForwarding=yes` override `PermitTunnel=yes` as documented, while the release notes also call out a potential pre-authentication denial of service when `GSSAPIAuthentication` is enabled. That GSSAPI feature is off by default, but enterprise environments that integrate SSH with Kerberos or Active Directory should still verify their deployed settings.[1]

The release also enforces minimum authentication delay in more cases and fixes a possible `ssh` client-side use-after-free if a server changes its host key during key reexchange.[1] Help Net Security separately summarized the release as covering eight security fixes plus bug fixes and new features, including experimental post-quantum signature support.[2] That post-quantum option combines ML-DSA 44 with Ed25519, but it is not enabled by default and should be treated as a testing feature, not as the reason to rush the update.

For most readers, the immediate action is straightforward: update OpenSSH through the operating system or vendor package channel, then restart or reload SSH services only after normal staging checks. Before a production restart, run the vendor-supported syntax/config test for your platform, review any local `internal-sftp`, forwarding, tunneling, and GSSAPI settings, and make sure automation that parses `sshd -G` output can tolerate mixed-case directive names. The release also makes Linux seccomp sandbox setup failures fatal, so older or unusual builds deserve a quick compatibility check before rollout.[1]

This is also a good moment to review SSH exposure rather than treating the patch as a single package version task. OpenSSH frequently appears in real intrusions as a persistence or access layer; earlier this year, for example, howtofix.guide covered Velvet Ant backdooring Linux PAM and OpenSSH. Linux administrators who are already prioritizing local-root fixes such as Bad Epoll and Copy Fail should place this update in the same operational view: patch the package, verify configuration, and look for accounts, tunnels, keys, and file-transfer jobs that would amplify a smaller SSH bug into a real incident.

References

  1. OpenSSH Project. OpenSSH 10.4/10.4p1 release notes. Published July 6, 2026.
  2. Help Net Security. OpenSSH 10.4 arrives with security fixes and a post-quantum signature option. Published July 6, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment