CVE-2025-26466
Published: 28 February 2025
Summary
CVE-2025-26466 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openbsd Openssh. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Network Flood (T1498.001); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and remediation of the OpenSSH memory management flaw through patching.
Provides denial-of-service protection mechanisms to prevent memory exhaustion from malicious ping packet floods targeting the SSH server.
Ensures resource availability by protecting system memory from unauthorized or uncontrolled consumption during pre-key exchange ping handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables pre-authentication DoS via ping packet flood causing asymmetric memory exhaustion on OpenSSH server (and client), facilitating direct network floods and service/OS exhaustion.
NVD Description
A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key…
more
exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
Deeper analysisAI
CVE-2025-26466, published on 2025-02-28, is a vulnerability in the OpenSSH package affecting the SSH server component. The flaw stems from improper memory management during the handling of ping packets received before key exchange completion. For each ping packet, the server allocates a pong packet in a memory buffer and stores it in a queue, but these are only freed after the server/client key exchange finishes. This allows a malicious client to send repeated ping packets, resulting in uncontrolled memory consumption and potential server unavailability, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network by continuously sending ping packets to the SSH server prior to key exchange. The high attack complexity (AC:H) likely arises from the need to precisely time and sustain the packet flood without triggering other defenses or completing the handshake. Successful exploitation leads to denial of service through memory exhaustion, rendering the server unresponsive, with no impact on confidentiality or integrity.
Mitigation details are provided in vendor advisories, including the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2025-26466, the associated Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2345043, and analyses from Qualys (https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt) and security mailing lists such as oss-sec (https://seclists.org/oss-sec/2025/q1/144) and fulldisclosure (http://seclists.org/fulldisclosure/2025/Feb/18). Security practitioners should consult these for patch availability and workarounds specific to affected OpenSSH versions.
Details
- CWE(s)