CVE-2025-26466

Summary

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Affected Software

VendorProductVersion RangeStatus
9.5p1 <= 9.9p1affected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

Workarounds

This issue can be mitigated by setting the following three different options in the sshd configuration file located at: /etc/ssh/sshd_config

MaxStartups: Set to a reasonable value, this option controls the maximum number of concurrent unauthenticated connections the SSH server accepts;

PerSourcePenalties: Set its suboptions to a reasonable value, this option is used to help sshd to detect and drop connections that are potentially malicious for the SSH server;

LoginGraceTime: Set to a resonable value, this option controls how much time the SSH server will wait the client to authenticate before dropping its connection;

All the three option above needs to be set to implement a full mitigation for this vulnerability.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References