CVE-2026-55653
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Summary
A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-415: Double Free
Workarounds
To mitigate this issue, OpenSSH clients operating in FIPS mode should avoid negotiating the diffie-hellman-group-exchange-sha256 key exchange algorithm. This can be achieved by explicitly listing allowed key exchange algorithms in the client's SSH configuration file (e.g., /etc/ssh/ssh_config or ~/.ssh/config), ensuring diffie-hellman-group-exchange-sha256 is not included. For example, to use a subset of common algorithms, you might configure:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
(Note: The above example KexAlgorithms list is illustrative and should be adjusted based on your environment's security requirements.)
Additionally, avoid using non-fatal client flows, such as ssh-keyscan, against untrusted SSH servers while FIPS mode is enabled. Changes to ssh_config will take effect for new SSH connections.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-55653
- https://bugzilla.redhat.com/show_bug.cgi?id=2462351
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.