Hi, I checked, and it seems that this has been applied in the upstream OpenSSH project
commit cf6c0b3b94cdc223f1b8be1ef2d93e993af5d976 Author: [email protected] <[email protected]> Date: Wed May 13 05:11:02 2026 +0000 upstream: fix hard-to-reach NULL deref during pubkey auth To hit this, the user must be using a PEM style private key with no corresponding .pub key adjacent to it. OpenBSD-Commit-ID: b7150acc5322fa33f21491834d9471fbe3d30f20 diff --git a/sshconnect2.c b/sshconnect2.c index 478a9a52f..5a48c73ed 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.385 2026/04/02 07:48:13 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.386 2026/05/13 05:11:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1277,7 +1277,7 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, * PKCS#11 tokens may not support all signature algorithms, * so check what we get back. */ - if ((id->key->flags & SSHKEY_FLAG_EXT) != 0 && + if (id->key != NULL && (id->key->flags & SSHKEY_FLAG_EXT) != 0 && (r = sshkey_check_sigtype(*sigp, *lenp, alg)) != 0) { debug_fr(r, "sshkey_check_sigtype"); goto out; Cheers Alejandro
