Cyber Resilience

CVE-2023-25136

MediumPublic PoCUpdated

Published: 03 February 2023

Published
03 February 2023
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.8833 99.5th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25136 is a medium-severity Double Free (CWE-415) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

OpenSSH server (sshd) version 9.1 contains a double-free vulnerability (CWE-415) during handling of options.kex_algorithms. The flaw was introduced in that release and is fixed in OpenSSH 9.2, affecting the sshd daemon in its default configuration.

An unauthenticated remote attacker can trigger the double free over the network to jump to an arbitrary location in the sshd address space. Third-party analysis notes that remote code execution is theoretically possible, although the CVSS 6.5 rating reflects high attack complexity and limits impact primarily to integrity and availability.

The referenced oss-security mailing list threads discuss the issue and confirm availability of the 9.2 patch that eliminates the double-free condition.

The associated EPSS score reached a peak of 0.9097 with a current value of 0.8833.

EU & UK References

Vulnerability details

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd…

more

address space. One third-party report states "remote code execution is theoretically possible."

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openbsd
openssh
9.1
fedoraproject
fedora
37, 38
netapp
ontap select deploy administration utility
all versions
netapp
a250 firmware
all versions
netapp
500f firmware
all versions
netapp
c250 firmware
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References