CVE-2025-26466

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
redhatCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
openbsdopenssh
9.5:p1
openbsdopenssh
9.6
openbsdopenssh
9.6:p1
openbsdopenssh
9.7
openbsdopenssh
9.7:p1
openbsdopenssh
9.8
openbsdopenssh
9.8:p1
openbsdopenssh
9.9
openbsdopenssh
9.9:p1
canonicalubuntu_linux
24.04
canonicalubuntu_linux
24.10
debiandebian_linux
11.0
debiandebian_linux
12.0
debiandebian_linux
13.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssh
bullseye
1:8.4p1-5+deb11u3
not-affected
bookworm
1:9.2p1-2+deb12u6
not-affected
bullseye (security)
1:8.4p1-5+deb11u5
fixed
bookworm (security)
1:9.2p1-2+deb12u5
fixed
sid
1:10.0p1-5
fixed
trixie
1:10.0p1-5
fixed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-26466
https://bugzilla.redhat.com/show_bug.cgi?id=2345043
https://seclists.org/oss-sec/2025/q1/144
https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt
https://bugzilla.suse.com/show_bug.cgi?id=1237041
https://security-tracker.debian.org/tracker/CVE-2025-26466
https://security.netapp.com/advisory/ntap-20250228-0002/
https://ubuntu.com/security/CVE-2025-26466
https://www.openwall.com/lists/oss-security/2025/02/18/1
https://www.openwall.com/lists/oss-security/2025/02/18/4
https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt