CVE-2025-26465

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-26465
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26465.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-26465
Downstream
Related
Published
2025-02-18T19:15:29.230Z
Modified
2026-02-11T13:44:41.195066Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

References

Affected packages

Git / github.com/openssh/openssh-portable

Affected ranges

Type
GIT
Repo
https://github.com/openssh/openssh-portable
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9f82e5a9042f2d872e98f48a876fcab3e25dd9bb
Introduced
7de4b03a6e4071d454b72927ffaf52949fa34545
Last affected
6849957945754e6551e515f41e8cf3937cda222d

Affected versions

Other
V_6_9_P1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-26465.json"