CVE-2025-26465
Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
It was discovered that the OpenSSH client incorrectly handled the non-default VerifyHostKeyDNS option. If that option were enabled, an attacker could possibly impersonate a server by completely bypassing the server identity check. It was discovered that OpenSSH incorrectly handled the transport-level ping facility. A remote attacker could possibly use this issue to cause OpenSSH clients and servers to consume resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-02-10 CVE Reserved
- 2025-02-18 CVE Published
- 2025-02-19 EPSS Updated
- 2025-02-19 First Exploit
- 2025-03-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-390: Detection of Error Condition Without Action
CAPEC
References (15)
| URL | Date | SRC |
|---|---|---|
| https://github.com/rxerium/CVE-2025-26465 | 2025-02-19 | |
| https://github.com/dolutech/patch-manual-CVE-2025-26465-e-CVE-2025-26466 | 2025-02-21 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | * | - |
Affected
| ||||||
| Red Hat Search vendor "Red Hat" | Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Search vendor "Redhat" for product "Openshift" | * | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | * | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | * | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | * | - |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | * | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Search vendor "Redhat" for product "Openshift" | * | - |
Affected
| ||||||
| Slackware Search vendor "Slackware" | Slackware Linux Search vendor "Slackware" for product "Slackware Linux" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sle-module-basesystem Search vendor "Suse" for product "Sle-module-basesystem" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sle-module-desktop-applications Search vendor "Suse" for product "Sle-module-desktop-applications" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sle Hpc-espos Search vendor "Suse" for product "Sle Hpc-espos" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sle Hpc-ltss Search vendor "Suse" for product "Sle Hpc-ltss" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sles-ltss-extended-security Search vendor "Suse" for product "Sles-ltss-extended-security" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sles-ltss Search vendor "Suse" for product "Sles-ltss" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Sles Sap Search vendor "Suse" for product "Sles Sap" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Suse-manager-proxy Search vendor "Suse" for product "Suse-manager-proxy" | * | - |
Affected
| ||||||
| Suse Search vendor "Suse" | Suse-manager-server Search vendor "Suse" for product "Suse-manager-server" | * | - |
Affected
| ||||||