new file mode 100644
@@ -0,0 +1,78 @@
+From fd1c7e131f331942d20f42f31e79912d570081fa Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 02 Apr 2026 07:48:13 +0000
+Subject: [PATCH] upstream: Fix matching of authorized_keys principals
+ option against certificate principals containing commas
+
+When matching an authorized_keys principals="" option against a list
+of principals in a certificate, an incorrect algorithm (match_list)
+was used that could allow inappropriate matching in cases where a
+principal name in the certificate contains a comma character.
+
+Exploitation requires an authorized_keys principals="" option listing
+more than one principal AND a CA that will issue a certificate encoding
+more than one of those principal names separated by a comma. Typical
+CAs strongly constrain which principal names they will place in a
+certificate. This condition only applies to user-trusted CA keys in
+authorized_keys; the main certificate authentication path
+(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected.
+
+Reported by Vladimir Tokarev.
+
+OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa]
+CVE: CVE-2026-35414
+Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
+---
+ auth2-pubkeyfile.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c
+index 896ea19..e729cc5 100644
+--- a/auth2-pubkeyfile.c
++++ b/auth2-pubkeyfile.c
+@@ -50,6 +50,7 @@
+ #include "authfile.h"
+ #include "match.h"
+ #include "ssherr.h"
++#include "xmalloc.h"
+
+ int
+ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
+@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
+ static int
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ {
+- char *result;
++ char *list, *olist, *entry;
+ u_int i;
+
+- /* XXX percent_expand() sequences for authorized_principals? */
+-
+- for (i = 0; i < cert->nprincipals; i++) {
+- if ((result = match_list(cert->principals[i],
+- principal_list, NULL)) != NULL) {
+- debug3("matched principal from key options \"%.100s\"",
+- result);
+- free(result);
+- return 1;
++ olist = list = xstrdup(principal_list);
++ for (;;) {
++ if ((entry = strsep(&list, ",")) == NULL || *entry == '\0')
++ break;
++ for (i = 0; i < cert->nprincipals; i++) {
++ if (strcmp(entry, cert->principals[i]) == 0) {
++ debug3("matched principal from key i"
++ "options \"%.100s\"", entry);
++ free(olist);
++ return 1;
++ }
+ }
+ }
++ free(olist);
+ return 0;
+ }
+
+--
+2.25.1
@@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2025-32728.patch \
file://CVE-2025-61985.patch \
file://CVE-2025-61984.patch \
+ file://CVE-2026-35414.patch \
"
SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
The match_principals_option() function in auth2-pubkeyfile.c used match_list() (which performs glob-based, comma-separated matching) instead of exact string comparison. When a certificate principal name contains a comma, match_list() splits it into multiple patterns, allowing an attacker to craft a principal name that gains unauthorized access. Fix by replacing match_list() with a strsep+strcmp loop for exact principal matching. Backport of commit fd1c7e131f331942d20f42f31e79912d570081fa from openssh-portable 10.3p1. CVE: CVE-2026-35414 Signed-off-by: Ashish Sharma <pahaditechie@gmail.com> --- .../openssh/openssh/CVE-2026-35414.patch | 78 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35414.patch