CVE-2015-6564
7.0 HIGHUse-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms m...
Published: 2015-08-24 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 7.0 HIGH
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-264, CWE-416
Affected products
| Vendor | Product |
|---|---|
| openbsd | openssh |
Description
Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2015-6564
- [Other]http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html
- [Other]http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html
- [Other]http://rhn.redhat.com/errata/RHSA-2016-0741.html
- [Other]http://seclists.org/fulldisclosure/2015/Aug/54
- [Vendor advisory]http://www.openssh.com/txt/release-7.0
- [Other]http://www.openwall.com/lists/oss-security/2015/08/22/1
- [Other]http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- [Other]http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- [Other]http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- [Other]http://www.securityfocus.com/bid/76317
- [Other]https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- [Other]https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10136
- [Other]https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- [Other]https://security.gentoo.org/glsa/201512-04
- [Other]https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-764
- [Other]http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html
- [Other]http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html
- [Other]http://rhn.redhat.com/errata/RHSA-2016-0741.html
- [Other]http://seclists.org/fulldisclosure/2015/Aug/54
- [Vendor advisory]http://www.openssh.com/txt/release-7.0
- [Other]http://www.openwall.com/lists/oss-security/2015/08/22/1
- [Other]http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- [Other]http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- [Other]http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- [Other]http://www.securityfocus.com/bid/76317
- [Other]https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- [Other]https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10136
- [Other]https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- [Other]https://security.gentoo.org/glsa/201512-04
- [Other]https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-764
Related CVEs
Same vendor
- CVE-2026-3497 — Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions (7.5 HIGH)
- CVE-2023-51767 — OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer ... (7.0 HIGH)
- CVE-2023-51384 — In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied (5.5 MEDIUM)
- CVE-2023-28531 — ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints (9.8 CRITICAL)
- CVE-2023-25136 — OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling (6.5 MEDIUM)
Same CWE
- CVE-2026-10640 — Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated th... (4.2 MEDIUM)
- CVE-2026-10639 — In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to ne... (4.8 MEDIUM)
- CVE-2026-10638 — subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data() (5.9 MEDIUM)
- CVE-2026-10637 — subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully (5.9 MEDIUM)
- CVE-2026-10636 — In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_i... (3.7 LOW)