CVE-2025-26466 in OpenSSHinfo

Summary

by MITRE • 03/01/2025

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/14/2025

This vulnerability exists within the OpenSSH implementation where the server maintains a queue of pong packets allocated in memory for each ping packet received during the key exchange process. The memory allocation for these pong packets occurs upon receipt of ping messages but remains allocated until the completion of the server-client key exchange operation. This design flaw creates a potential memory exhaustion scenario where an attacker can continuously send ping packets without completing the key exchange process, causing the server to accumulate memory buffers indefinitely. The vulnerability specifically affects the server-side implementation of SSH protocol handling and represents a classic resource exhaustion attack vector that can be exploited through improper memory management practices. According to CWE-400, this vulnerability maps to the weakness of unspecified resource exhaustion, while the ATT&CK framework categorizes this under T1499.004 for Network Denial of Service attacks.

The operational impact of this vulnerability extends beyond simple resource consumption as it creates a persistent denial of service condition that can affect server availability and system performance. Attackers can maintain sustained memory consumption by continuously sending ping packets without completing the authentication process, effectively causing the SSH server to consume increasing amounts of memory over time. This memory leak can eventually lead to system instability, application crashes, or complete service unavailability. The vulnerability is particularly concerning because it operates at the protocol level and can be exploited with minimal authentication requirements, making it accessible to attackers who may not have legitimate access credentials. The attack can be executed from any network location capable of reaching the SSH server, and the memory consumption grows linearly with the number of ping packets sent, potentially leading to system resource exhaustion within minutes of attack initiation.

Mitigation strategies for this vulnerability should include implementing rate limiting mechanisms to restrict the number of ping packets that can be sent within a given time period, configuring memory limits for SSH server processes, and enabling automatic cleanup of pending ping/pong packet queues. System administrators should consider implementing connection timeouts that force completion of key exchange operations within defined time limits, preventing indefinite memory allocation. The OpenSSH community has addressed this issue through patch updates that implement proper memory management practices, ensuring that pong packets are freed immediately after processing regardless of key exchange completion status. Additionally, monitoring systems should be configured to detect unusual memory consumption patterns and alert administrators when SSH server memory usage exceeds normal thresholds. Network-level firewalls can also be configured to limit the rate of SSH protocol messages, providing an additional layer of defense against this specific attack vector. Organizations should prioritize patching affected systems and implementing these protective measures to prevent exploitation and maintain service availability.

Reservation

02/10/2025

Disclosure

03/01/2025

Moderation

accepted

CPE

ready

EPSS

0.38474

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!