OpenSSH has once again found itself in the security spotlight. Just seven months after discovering the regreSSHion flaw, two new critical flaws have come to light. This time, the risks stem from Man-in-the-Middle (MITM) and Denial-of-Service (DoS) vulnerabilities—each with the potential to disrupt or compromise secure communications.
OpenSSH (Open Secure Shell) is a free, open-source implementation of the SSH (Secure Shell) protocol that enables encrypted communication for secure remote access, file transfers, and tunneling over untrusted networks. It is one of the most widely used tools globally, with broad adoption across Linux and Unix-based systems. It plays a critical role in enterprise environments, cloud computing, and cybersecurity applications.
Technical Details
CVE-2025-26465 arises from a flaw introduced a decade ago. If enabled by the ‘VerifyHostKeyDNS’ option, attackers can launch a Man-in-the-Middle (MITM) attack on the OpenSSH client. This option is disabled by default but was enabled on FreeBSD from September 2013 until March 2023.
When enabled, an attacker can impersonate any server due to improper error handling that forces an out-of-memory error during verification. This is carried out by intercepting an SSH connection and providing a large SSH key with surplus certificate extensions, which exhausts the client’s memory. This allows the attacker to bypass host verification and hijack the session. Furthermore, the attacker can steal credentials, inject commands, and exfiltrate data.
CVE-2025-26466 tracks a flaw that allows a pre-authentication memory / CPU Denial-of-Service (DoS) attack to be carried out. The issue is caused by unrestricted memory allocation during the key exchange, which leads to uncontrolled resource consumption.
Attackers can take advantage of this vulnerability by repeatedly sending 16-byte ping messages, prompting OpenSSH to buffer 256-byte responses without restriction. These responses are retained indefinitely during the key exchange process, leading to excessive memory consumption and CPU overload, which can ultimately result in system crashes.
Products Affected
- CVE-2025-26465 affects OpenSSH version 6.8p1 to 9.9p1
- CVE-2025-26466 affects OpenSSH version 9.5p1 to 9.9p1
Solutions and Mitigations
OpenSSH has released version 9.9p2, which addresses the vulnerabilities mentioned above. Users should upgrade to this version immediately to mitigate the identified risks.
For additional security, consider disabling ‘VerifyHostKeyDNS’ unless necessary and manually verifying key fingerprints to ensure safe SSH connections.
To mitigate the risk of DoS attacks, administrators should implement strict connection rate limits and actively monitor SSH traffic for any unusual patterns to detect and block potential threats.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
