The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if the target user's ssh-agent is forwarded to an attacker-controlled system . Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist or by configuring an allowlist that contains only specific provider libraries. NOTE: this issue exists because of an incomplete fix for CVE-2016-10009