Short answer: map CVE-2026-3497 to the vendor advisory and installed package before deciding what it means for your server. Update through Ubuntu’s normal security channel, preserve a second access path, and avoid assuming every SSH deployment has the same exposure.
What is the right triage order?
- Read the Ubuntu advisory and affected releases.
- Identify the installed OpenSSH package and repository source.
- Compare it with the vendor’s fixed-state guidance.
- Apply the supported update and review restart or reconnect impact.
- Check access from a separate session before closing the maintenance window.
The security decision belongs to the distro package, not to a copied headline or an upstream version string alone. Existing Ubuntu OpenSSH update triage covers the access-preservation angle.
What should you not claim?
Do not call a host safe because a port is filtered, or compromised because a scanner reports a vulnerable upstream version. Exposure, authentication policy, package backports, and exploitability are different questions.