RCE in OpenSSH's server, on glibc-based Linux systems
(CVE-2024-6387)

qualys.com/2024/07/01/cve-2024

> Finally, if sshd cannot be updated or recompiled, this signal handler race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from the remote code execution presented in this advisory.

NixOS:
services.openssh.settings.LoginGraceTime = 0;