🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in SSH SFTP server implementations allows an attacker to trigger an infinite loop by sending specially crafted extended channel data, causing a denial of service. This affects Azure-hosted or Microsoft-managed services relying on the vulnerable SSH/SFTP component. If exploited, legitimate users and automated processes depending on SFTP connectivity could be completely locked out.

Security Architect’s Take: Review any Azure services or custom workloads exposing SFTP endpoints and apply the relevant Microsoft patch immediately. In the interim, consider restricting SFTP access via network security groups or Azure Firewall rules to trusted IP ranges only, reducing the attack surface until patching is confirmed.

Original advisory: CVE-2026-54886 SSH SFTP server denial of service via extended channel data infinite loop