diff -urp openssh-8.7p1-43.el9-tree.orig/krl.c openssh-8.7p1-43.el9-tree.qualys-retval/krl.c
--- openssh-8.7p1-43.el9-tree.orig/krl.c	2025-02-14 00:31:18.634510910 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/krl.c	2025-02-21 02:48:23.080972135 +0000
@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_ce
 			break;
 		case KRL_SECTION_CERT_SERIAL_BITMAP:
 			if (rs->lo - bitmap_start > INT_MAX) {
+				r = SSH_ERR_INVALID_FORMAT;
 				error_f("insane bitmap gap");
 				goto out;
 			}
@@ -1008,6 +1009,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
 		goto out;
 
 	if ((krl = ssh_krl_init()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
 		error_f("alloc failed");
 		goto out;
 	}
diff -urp openssh-8.7p1-43.el9-tree.orig/ssh-agent.c openssh-8.7p1-43.el9-tree.qualys-retval/ssh-agent.c
--- openssh-8.7p1-43.el9-tree.orig/ssh-agent.c	2025-02-14 00:31:18.653510894 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/ssh-agent.c	2025-02-21 04:01:32.677160367 +0000
@@ -700,6 +700,8 @@ process_add_identity(SocketEntry *e)
 	if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
 	    k == NULL ||
 	    (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+		if (!r) /* k == NULL */
+			r = SSH_ERR_INTERNAL_ERROR;
 		error_fr(r, "parse");
 		goto out;
 	}
diff -urp openssh-8.7p1-43.el9-tree.orig/sshconnect2.c openssh-8.7p1-43.el9-tree.qualys-retval/sshconnect2.c
--- openssh-8.7p1-43.el9-tree.orig/sshconnect2.c	2025-02-14 00:31:18.743510817 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/sshconnect2.c	2025-02-21 02:48:30.464965775 +0000
@@ -102,7 +102,7 @@ verify_host_key_callback(struct sshkey *
 	    options.required_rsa_size)) != 0)
 		fatal_r(r, "Bad server host key");
 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
-	    xxx_conn_info) == -1)
+	    xxx_conn_info) != 0)
 		fatal("Host key verification failed.");
 	return 0;
 }
@@ -811,6 +811,7 @@ input_userauth_pk_ok(int type, u_int32_t
 
 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
 		debug_f("server sent unknown pkalg %s", pkalg);
+		r = SSH_ERR_INVALID_FORMAT;
 		goto done;
 	}
 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -821,6 +822,7 @@ input_userauth_pk_ok(int type, u_int32_t
 		error("input_userauth_pk_ok: type mismatch "
 		    "for decoded key (received %d, expected %d)",
 		    key->type, pktype);
+		r = SSH_ERR_INVALID_FORMAT;
 		goto done;
 	}
 
@@ -840,6 +842,7 @@ input_userauth_pk_ok(int type, u_int32_t
 		    SSH_FP_DEFAULT);
 		error_f("server replied with unknown key: %s %s",
 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+		r = SSH_ERR_INVALID_FORMAT;
 		goto done;
 	}
 	ident = format_identity(id);
diff -urp openssh-8.7p1-43.el9-tree.orig/sshsig.c openssh-8.7p1-43.el9-tree.qualys-retval/sshsig.c
--- openssh-8.7p1-43.el9-tree.orig/sshsig.c	2025-02-14 00:31:18.658510889 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/sshsig.c	2025-02-21 02:48:30.465965774 +0000
@@ -971,6 +971,7 @@ cert_filter_principals(const char *path,
 	}
 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
 		error_f("buffer error");
+		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 	/* success */
diff -urp openssh-8.7p1-43.el9-tree.orig/ssh-sk-client.c openssh-8.7p1-43.el9-tree.qualys-retval/ssh-sk-client.c
--- openssh-8.7p1-43.el9-tree.orig/ssh-sk-client.c	2021-08-20 04:03:49.000000000 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/ssh-sk-client.c	2025-02-21 02:48:30.462965777 +0000
@@ -419,6 +419,7 @@ sshsk_load_resident(const char *provider
 		if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
 		    sizeof(*keys))) == NULL) {
 			error_f("recallocarray keys failed");
+			r = SSH_ERR_ALLOC_FAIL;
 			goto out;
 		}
 		debug_f("keys[%zu]: %s %s", nkeys, sshkey_type(key),