CVE-2025-26465

Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled

Description

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Remediation

Workaround:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2025:3837	vendor advisory
https://access.redhat.com/errata/RHSA-2025:6993	vendor advisory
https://access.redhat.com/errata/RHSA-2025:8385	vendor advisory
https://access.redhat.com/security/cve/CVE-2025-26465	vdb entry third party advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2344780	third party advisory issue tracking
https://seclists.org/oss-sec/2025/q1/144	third party advisory mailing list
https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466	third party advisory
https://bugzilla.suse.com/show_bug.cgi?id=1237040	issue tracking
https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig	patch
https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html	third party advisory
https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html	third party advisory
https://security-tracker.debian.org/tracker/CVE-2025-26465	third party advisory
https://security.netapp.com/advisory/ntap-20250228-0003/	third party advisory
https://ubuntu.com/security/CVE-2025-26465	third party advisory
https://www.openssh.com/releasenotes.html#9.9p2	release notes
https://www.openwall.com/lists/oss-security/2025/02/18/1	mailing list third party advisory
https://www.openwall.com/lists/oss-security/2025/02/18/4	mailing list third party advisory
https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/	press/media coverage
https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh	third party advisory
https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh	mitigation third party advisory

Frequently Asked Questions

What is the severity of CVE-2025-26465?: CVE-2025-26465 has been scored as a medium severity vulnerability.
How to fix CVE-2025-26465?: As a workaround for remediating CVE-2025-26465: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Is CVE-2025-26465 being actively exploited in the wild?: It is possible that CVE-2025-26465 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~45% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-26465?: CVE-2025-26465 affects Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support, Red Hat Red Hat Discovery 1.14, Red Hat Red Hat Enterprise Linux 10, Red Hat Red Hat Enterprise Linux 6, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat OpenShift Container Platform 4.

Description

Remediation

Category

CWE-390 – Detection of Error Condition Without Action

References

Frequently Asked Questions