CVE-2024-6387 Explained: regreSSHion OpenSSH Signal Handler Race Condition
A signal handler race condition in OpenSSH's sshd — a regression of a 2006 vulnerability reintroduced in 2021 — enabling unauthenticated remote code execution as root on glibc-based Linux systems. Affects an estimated 14 million internet-exposed OpenSSH servers.
CVE-2024-6387 is a signal handler race condition in OpenSSH's sshd, disclosed by Qualys on July 1, 2024 and named regreSSHion. The vulnerability allows an unauthenticated attacker to achieve remote code execution as root on glibc-based Linux systems running OpenSSH 8.5p1 through 9.7p1. It is a regression: the original flaw (CVE-2006-5051) was patched in 2006, but a code change in OpenSSH 8.5p1 released in October 2021 inadvertently reintroduced it. It went undetected for three years.
Qualys identified approximately 14 million OpenSSH servers exposed on the public internet running vulnerable versions. The vulnerability scores CVSS 8.1 — notable because the attack is complex and requires thousands of attempts, but the consequence of successful exploitation is unauthenticated root access to any Linux system running a standard SSH daemon.
How the Race Condition Works: Signal Handlers and Heap Corruption
OpenSSH's sshd allows unauthenticated clients a grace period (LoginGraceTime, default 120 seconds) to complete authentication. If a client fails to authenticate within this window, sshd handles the timeout by raising a SIGALRM signal, which calls the cleanup_exit() function.
The problem: cleanup_exit() calls functions that are not async-signal-safe — specifically, glibc's malloc, free, and related memory management functions. Signal handlers must only call async-signal-safe functions because they can interrupt any point in a running program, including the middle of malloc's internal bookkeeping. Calling malloc from a signal handler that fires during another malloc operation corrupts the heap.
An attacker exploits this by causing the SIGALRM to fire at precisely the right moment during sshd's memory operations. With enough attempts (~10,000 connections), the timing can be won. Once the heap is corrupted in the right way, it becomes possible to redirect execution to attacker-controlled shellcode. On 32-bit systems, ASLR provides insufficient entropy to prevent exploitation. On 64-bit systems, exploitation is significantly harder but theoretically possible with sufficient attempts.
Open unauthenticated SSH connection
Attacker initiates an SSH connection to the target sshd but does not authenticate. The sshd LoginGraceTime period begins — default 120 seconds.
Trigger SIGALRM race condition
Attacker allows the connection to timeout without authenticating, triggering the SIGALRM handler. The handler calls cleanup_exit(), which invokes async-signal-unsafe glibc heap functions, potentially corrupting heap metadata.
Repeat until heap is in exploitable state
The attacker opens thousands of connections in sequence, each triggering the race condition. With each attempt, the heap state changes slightly. After approximately 10,000 attempts, the heap may be in a state that allows controlled corruption.
Win the race and redirect execution
When the heap corruption produces the right conditions, the attacker's data overwrites a function pointer or return address, redirecting execution to attacker shellcode. On 32-bit targets, ASLR can be bypassed relatively quickly. On 64-bit targets, this step requires significantly more attempts.
Execute as root
sshd runs as root before privilege separation occurs. Successful exploitation achieves root code execution before any authentication credential is checked, giving the attacker full system compromise.
Scope and Practical Exploitation Considerations
The CVSS score of 8.1 reflects the attack complexity — the race condition requires thousands of attempts and hours of sustained effort, which depresses the score from the 10.0 it would receive if exploitation were trivial. But high attack complexity does not mean the vulnerability can be ignored.
For targeted attacks against high-value systems by well-resourced threat actors, an 8-hour exploitation window is operationally viable. Qualys demonstrated successful exploitation on 32-bit x86 systems in their lab. On 64-bit x86-64 systems — the dominant deployment — ASLR entropy is much higher (approximately 2^28 for heap layout randomisation), making the attack take days rather than hours without additional information leaks.
Approximately 700,000 of the 14 million exposed systems were identified as running vulnerable versions without patches applied as of July 2024. Enterprise Linux distributions (RHEL 9, Ubuntu 22.04 LTS, Debian 12) all shipped patched packages within days of the disclosure.
“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access.”
— Qualys regreSSHion advisory, July 1, 2024
Patching and Mitigating CVE-2024-6387
The fix is straightforward — upgrade OpenSSH. The workaround is also simple and immediately effective while patch deployment is underway.
Upgrade to OpenSSH 9.8p1 or install distribution-patched packages
OpenSSH 9.8p1 fixes CVE-2024-6387 by making the signal handler fully async-signal-safe. All major Linux distributions released patched OpenSSH packages within days of disclosure. Use your distribution's package manager: apt update && apt install --only-upgrade openssh-server (Debian/Ubuntu) or dnf update openssh-server (RHEL/CentOS/Fedora).
Set LoginGraceTime 0 as an immediate workaround
Add or set LoginGraceTime 0 in /etc/ssh/sshd_config and restart sshd. This eliminates the SIGALRM timer entirely, removing the race condition's trigger. The trade-off: unauthenticated connections are not timed out, which can allow DoS via connection exhaustion. Combine with MaxStartups and firewall rate limiting to compensate.
Restrict SSH access with firewall allowlisting
Limit SSH access to known IP addresses or management networks via firewall rules. Even if CVE-2024-6387 is not the immediate risk for your environment, SSH should never be exposed to arbitrary internet sources. Network-level restriction significantly reduces the exploitation surface for this and future SSH vulnerabilities.
Audit for anomalous SSH connections in logs
Review /var/log/auth.log or /var/log/secure for patterns consistent with race condition exploitation: large numbers of rapid disconnections from the same source IP within the LoginGraceTime window. These generate 'Connection closed by authenticating user' or 'Disconnected from authenticating user' log entries at high frequency.
The bottom line
regreSSHion is the kind of vulnerability that gets underestimated because of a CVSS score that reflects attack complexity rather than the severity of a successful outcome. Unauthenticated root RCE on any internet-exposed Linux SSH daemon is a maximum-severity outcome — the score just acknowledges that achieving it takes real work.
The regression story is also a supply-chain-of-time lesson: a security patch from 2006 was undone by a code change in 2021, and nobody caught it for three years despite OpenSSH being one of the most audited codebases in open-source software. The reintroduced flaw sat in hundreds of millions of deployments worldwide until a Qualys researcher found it.
If you run Linux servers with SSH exposed to the internet — which is most of them — patch this now. The upgrade to OpenSSH 9.8p1 is straightforward. The workaround (LoginGraceTime 0) takes thirty seconds. The only thing required to be at risk is running an unpatched sshd on a public-facing host, which describes most of the internet.
Frequently asked questions
What is CVE-2024-6387 (regreSSHion)?
CVE-2024-6387 is a signal handler race condition in OpenSSH's sshd daemon. When a client fails to authenticate within the LoginGraceTime window (default 120 seconds), sshd calls cleanup_exit() from a SIGALRM signal handler. This function calls async-signal-unsafe functions including those in glibc's malloc — a heap memory manager that can be manipulated to achieve remote code execution. The vulnerability allows unauthenticated attackers to exploit this race condition for root RCE on glibc-based Linux systems.
Which OpenSSH versions are affected?
OpenSSH 8.5p1 through 9.7p1 on glibc-based Linux systems are affected. OpenBSD is not affected (it uses a different signal handling mechanism). OpenSSH versions prior to 4.4p1 are also vulnerable to the original CVE-2006-5051 if unpatchd. OpenSSH 9.8p1 and later are patched. macOS uses a different sshd and is not affected by this specific CVE.
How hard is it to exploit CVE-2024-6387?
Exploitation is difficult in practice. The race condition requires ~10,000 attempts to reliably win, and each attempt takes approximately 60–120 seconds (the LoginGraceTime). This means a complete exploitation attempt can take 6–8 hours of sustained effort. ASLR must also be bypassed — achievable on 32-bit systems relatively easily, significantly harder on 64-bit. Qualys described exploitation on 64-bit systems as theoretically possible but not yet practically demonstrated in their research.
Has CVE-2024-6387 been exploited in the wild?
As of the research disclosure in July 2024, no confirmed in-the-wild exploitation had been reported. The difficulty of exploitation (multi-hour attack window, thousands of attempts required, 64-bit ASLR bypass needed) makes opportunistic mass exploitation unlikely. However, targeted exploitation by well-resourced threat actors — particularly with a 32-bit target — is a realistic risk.
How do I fix CVE-2024-6387?
Upgrade to OpenSSH 9.8p1 or later, or apply your Linux distribution's patched OpenSSH package. If immediate patching is not possible, set LoginGraceTime 0 in /etc/ssh/sshd_config and restart sshd. This disables the grace period that triggers the vulnerable code path, eliminating the race condition at the cost of allowing unlimited unauthenticated connection hold-time.
Does reducing MaxStartups or LoginGraceTime mitigate CVE-2024-6387?
Setting LoginGraceTime 0 eliminates the vulnerability by removing the SIGALRM signal that triggers the race condition. Reducing MaxStartups limits the number of concurrent unauthenticated connections, which makes multi-attempt exploitation slower but does not eliminate it. LoginGraceTime 0 is the only complete non-patch mitigation.
Sources & references
- NVD
- Qualys Security Advisory — regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
- OpenSSH Security Notice
- CISA Known Exploited Vulnerabilities Catalog
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.