A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key.
For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 10
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Openbsd Openssh
cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
|
6.9
|
<= 9.8
|
|
Openbsd Openssh
cpe:2.3:a:openbsd:openssh:6.8:p1:*:*:*:*:*:*
|
— | — |
|
Openbsd Openssh
cpe:2.3:a:openbsd:openssh:9.9:-:*:*:*:*:*:*
|
— | — |
|
Openbsd Openssh
cpe:2.3:a:openbsd:openssh:9.9:p1:*:*:*:*:*:*
|
— | — |
|
Netapp Active_Iq_Unified_Manager
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
|
— | — |
|
Netapp Ontap
cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*
|
— | — |
|
Redhat Openshift_Container_Platform
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
|
— | — |
|
Debian Debian_Linux
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
— | — |
|
Debian Debian_Linux
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Enterprise_Linux
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
|
— | — |
References 25
https://access.redhat.com/errata/RHSA-2025:16823
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:3837
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:6993
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:8385
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-26465
secalert@redhat.com
https://access.redhat.com/solutions/7109879
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2344780
secalert@redhat.com
https://seclists.org/oss-sec/2025/q1/144
secalert@redhat.com
http://seclists.org/fulldisclosure/2025/Feb/18
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/May/7
af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/May/8
af854a3a-2127-422b-91ae-364da2661108
https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-d…
af854a3a-2127-422b-91ae-364da2661108
https://bugzilla.suse.com/show_bug.cgi?id=1237040
af854a3a-2127-422b-91ae-364da2661108
https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.…
af854a3a-2127-422b-91ae-364da2661108
https://security-tracker.debian.org/tracker/CVE-2025-26465
af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250228-0003/
af854a3a-2127-422b-91ae-364da2661108
https://ubuntu.com/security/CVE-2025-26465
af854a3a-2127-422b-91ae-364da2661108
https://www.openssh.com/releasenotes.html#9.9p2
af854a3a-2127-422b-91ae-364da2661108
https://www.openwall.com/lists/oss-security/2025/02/18/1
af854a3a-2127-422b-91ae-364da2661108
https://www.openwall.com/lists/oss-security/2025/02/18/4
af854a3a-2127-422b-91ae-364da2661108
https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh
af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-opens…
af854a3a-2127-422b-91ae-364da2661108