CVE-2025-26465

MEDIUM6.8EPSS 64.5%

openssh - security update

Published: 2/18/2025Modified: 4/28/2026

Description

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Affected packages (4)

Alpine/opensshfrom 0, < 9.3_p2-r3
Debian/opensshfrom 0, < 1:8.4p1-5+deb11u4
Debian/opensshfrom 0, < 1:8.4p1-5+deb11u4
Debian/opensshfrom 0, < 1:9.2p1-2+deb12u5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2025-26465
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-26465