A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
CVE-2024-6387
Score 8.1 from GitHub Security Advisory (severity: HIGH) published 2024-07-01. NVD baseline CVSS 8.1; sources differ by 0.0.
- 958 internet-exposed hosts are running an affected version right now
- High exploitation likelihood — EPSS 100%
A fix is available — apply it.
958 internet-exposed hosts are running an affected version of CVE-2024-6387 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- 8.1
- EG Score
- 8.1(medium)
- EPSS
- 99.9%
- KEV
- Not listed
Published
July 1, 2024
Last Modified
May 12, 2026
Advisory Details (10)
Auto-updated May 12, 2026blog | The public blog of Santander Cyber Security Research
https://santandersecurityresearch.github.io/blog/sshing_the_masses.html2294604 – (CVE-2024-6387, regreSSHion) CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS
Affected: Red Hat Enterprise Linux 9
https://bugzilla.redhat.com/show_bug.cgi?id=2294604Affected: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
https://access.redhat.com/errata/RHSA-2024:4389Affected: Red Hat Enterprise Linux 9.2 Extended Update Support.
https://access.redhat.com/errata/RHSA-2024:4340Affected: Red Hat Enterprise Linux 9.
https://access.redhat.com/errata/RHSA-2024:4312Vendor Advisories for CVE-2024-6387(7)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- CVE-2024-6387Microsoft Security Response Center (MSRC)Critical
RedHat Openssh: CVE-2024-6387 Remote Code Execution Due To A Race Condition In Signal Handling
- RHSA-2024:4474Red Hat Product SecurityHigh
Red Hat Security Advisory: OpenShift Container Platform 4.15.22 security update
- RHSA-2024:4484Red Hat Product SecurityHigh
Red Hat Security Advisory: OpenShift Container Platform 4.13.45 bug fix and security update
- RHSA-2024:4479Red Hat Product SecurityHigh
Red Hat Security Advisory: OpenShift Container Platform 4.14.33 bug fix and security update
- RHSA-2024:4389Red Hat Product SecurityHigh
Red Hat Security Advisory: openssh security update
- RHSA-2024:4340Red Hat Product SecurityHigh
Red Hat Security Advisory: openssh security update
- RHSA-2024:4312Red Hat Product SecurityHigh
Red Hat Security Advisory: openssh security update
Patch Availability(8)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | ssh-askpass-gnome (1:9.6p1-3ubuntu13.3) @ noble | 2026-05-22 | ubuntu |
| redhat | rhcos-415.92.202407091355-0 | 2024-07-18 | redhat |
| redhat | rhcos-413.92.202407091321-0 | 2024-07-17 | redhat |
| redhat | rhcos-414.92.202407091253-0 | 2024-07-17 | redhat |
| redhat | rhcos-416.94.202407081958-0 | 2024-07-16 | redhat |
| redhat | openssh-0:8.7p1-12.el9_0.1 | 2024-07-08 | redhat |
| redhat | openssh-0:8.7p1-30.el9_2.4 | 2024-07-05 | redhat |
| redhat | openssh-0:8.7p1-38.el9_4.1 | 2024-07-03 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(2)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 3× in last 7d / 8× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 03:52 UTCOSV refresh
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-06-22 11:02 UTCOSV refresh
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:48 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 15:39 UTCOSV refresh
- 2026-06-02 20:12 UTCEPSS rescore
Show 29 moreShow fewer
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 00:36 UTCEG score recompute
- 2026-05-22 00:36 UTCVendor advisory
- 2026-05-22 00:36 UTCGHSA enrichment
- 2026-05-21 22:42 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-52269First seen Apr 22, 2025
OpenSSH server (sshd) 9.8p1 - Race Condition
Open source ↗ - GitHub PoCfilipi86/CVE-2024-6387-Vulnerability-CheckerFirst seen Jul 9, 2024
This Python script checks for the CVE-2024-6387 vulnerability in OpenSSH servers. It supports multiple IP addresses, URLs, CIDR ranges, and ports. The script can also read addresses from a file.
Open source ↗ - GitHub PoCKarmakstylez/CVE-2024-6387First seen Jul 8, 2024
Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)
Open source ↗ - GitHub PoCzgzhang/cve-2024-6387-pocFirst seen Jul 3, 2024
Reproduction PoC for the OpenSSH signal-handler race condition (32-bit demo).
Open source ↗ - GitHub PoCl0n3m4n/CVE-2024-6387First seen Jul 2, 2024
PoC - Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (Scanner and Exploit)
Open source ↗ - GitHub PoCxonoxitron/regreSSHionFirst seen Jul 2, 2024
CVE-2024-6387 (regreSSHion) Exploit (PoC), a vulnerability in OpenSSH's server (sshd) on glibc-based Linux systems.
Open source ↗ - GitHub PoCd0rb/CVE-2024-6387First seen Jul 2, 2024
This Python script exploits a remote code execution vulnerability (CVE-2024-6387) in OpenSSH.
Open source ↗ - GitHub PoCxaitax/CVE-2024-6387_CheckFirst seen Jul 1, 2024
CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH
Open source ↗ - GitHub PoCacrono/cve-2024-6387-pocFirst seen Jul 1, 2024
32-bit PoC for CVE-2024-6387 — mirror of the original 7etsuo/cve-2024-6387-poc
Open source ↗ - GitHub PoClflare/cve-2024-6387-pocFirst seen Jul 1, 2024
MIRROR of the original 32-bit PoC for CVE-2024-6387 "regreSSHion" by 7etsuo/cve-2024-6387-poc
Open source ↗
Past incidents using this CVE
(1)This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.
- regreSSHion (OpenSSH)Jul 2024
Signal-handler race condition in OpenSSH sshd allowed unauthenticated RCE as root on glibc-based Linux systems. Qualys disclosed; affected millions of internet-facing sshd instances.
Source: Qualys
Related CVEs(same vendor + same CWE)
Same vendor
10 shownmsrc · redhat
Same CWE
10 shownCWE-362 · CWE-364
Frequently asked(5)
What is CVE-2024-6387?
When was CVE-2024-6387 disclosed?
Is CVE-2024-6387 actively exploited?
What is the CVSS score of CVE-2024-6387?
How do I remediate CVE-2024-6387?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2024-6387
Is Your Infrastructure Affected by CVE-2024-6387?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.