Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-26465

Опубликовано: 18 фев. 2025
Источник: debian
EPSS Средний

Описание

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
opensshfixed1:9.9p2-1package

Примечания

  • https://www.openssh.com/releasenotes.html#9.9p2

  • https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt

  • Introduced with: https://github.com/openssh/openssh-portable/commit/5e39a49930d885aac9c76af3129332b6e772cd75 (V_6_8_P1)

  • Fixed by: https://github.com/openssh/openssh-portable/commit/0832aac79517611dd4de93ad0a83577994d9c907 (V_9_9_P1)

EPSS

Процентиль: 98%
0.52936
Средний

Связанные уязвимости

ubuntu логотип

CVE-2025-26465

CVSS3: 6.8
ubuntu
6 месяцев назад

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

redhat логотип

CVE-2025-26465

CVSS3: 6.8
redhat
6 месяцев назад

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

nvd логотип

CVE-2025-26465

CVSS3: 6.8
nvd
6 месяцев назад

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

msrc логотип

CVE-2025-26465

CVSS3: 6.8
msrc
6 месяцев назад

Описание отсутствует

suse-cvrf логотип

SUSE-SU-2025:0744-1

suse-cvrf
5 месяцев назад

Security update for openssh8.4

EPSS

Процентиль: 98%
0.52936
Средний