CVE-2025-26465
openssh - security update
6.8
MEDIUM
CVSS 3.1
EPSS 64.5%
Description
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
How to fix CVE-2025-26465
To remediate CVE-2025-26465, upgrade the affected package to a fixed version below.
- —upgrade to 9.3_p2-r3 or later
- —upgrade to 1:8.4p1-5+deb11u4 or later
- —upgrade to 1:8.4p1-5+deb11u4 or later
- —upgrade to 1:9.2p1-2+deb12u5 or later
Is CVE-2025-26465 being exploited?
Likely — EPSS is 64.5%, placing CVE-2025-26465 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 9.3_p2-r3
- from 0, < 1:8.4p1-5+deb11u4
- from 0, < 1:8.4p1-5+deb11u4
- from 0, < 1:9.2p1-2+deb12u5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |