CVE-2025-8277

Summary

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

Affected Software

VendorProductVersion RangeStatus
0.6.0 < 0.11.3affected
Red HatRed Hat Enterprise Linux 90:0.10.4-18.el9 < *unaffected
Red HatRed Hat Enterprise Linux 90:0.10.4-18.el9 < *unaffected

Weaknesses

  • CWE-401: Missing Release of Memory after Effective Lifetime

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. It is strongly advised to apply updated libssh packages once available to prevent memory exhaustion risks on client systems.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References