PT-2025-7169 · Openssh+8 · Openssh+8

Gianluca Gabrielli

Published

2025-02-18

Updated

2026-03-10

CVE-2025-26466

CVSS v4.0

8.2

High

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenSSH versions 9.5p1 through 9.9p1

Description The issue is related to an uncontrolled consumption of resources in OpenSSH, which can be exploited by a remote attacker to cause a denial of service. This can be achieved through memory exhaustion or CPU consumption. The vulnerability affects both servers and clients and was introduced in August 2023. It is related to the handling of SSH2 MSG PING packets and can be exploited before authentication.

Recommendations For OpenSSH versions 9.5p1 through 9.9p1, upgrade to OpenSSH 9.9p2 immediately to mitigate the threat. Review SSH configurations to ensure security settings are properly enforced. As a temporary workaround, consider using the existing PerSourcePenalties feature to mitigate the condition.

Exploit

Fix

DoS

RCE

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALT-PU-2025-3001

ALT-PU-2025-3025

AZL-56898

BDU:2025-01893

CVE-2025-26466

OESA-2025-1314

OPENSUSE-SU-2025:14820-1

OPENSUSE-SU-2025_0585-1

SUSE-SU-2025:0585-1

SUSE-SU-2025:20160-1

SUSE-SU-2025:20226-1

USN-7270-1

Affected Products

Alt Linux

Astra Linux

Freebsd

Ibm Aix

Linuxmint

Apple Macos

Openssh

Suse

Ubuntu

PT-2025-7169 · Openssh+8 · Openssh+8

CVE-2025-26466

Weakness Enumeration

Related Identifiers

Affected Products

References · 166