CVE-2023-25136
6.5 MEDIUMOpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling
Published: 2023-02-03 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
- CWE
- CWE-415
Affected products
| Vendor | Product |
|---|---|
| fedoraproject | 500f_firmware, a250_firmware, c250_firmware |
| netapp | 500f_firmware, a250_firmware, c250_firmware |
| openbsd | 500f_firmware, a250_firmware, c250_firmware |
Description
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2023-25136
- [Other]http://www.openwall.com/lists/oss-security/2023/02/13/1
- [Other]http://www.openwall.com/lists/oss-security/2023/02/22/1
- [Other]http://www.openwall.com/lists/oss-security/2023/02/22/2
- [Other]http://www.openwall.com/lists/oss-security/2023/02/23/3
- [Other]http://www.openwall.com/lists/oss-security/2023/03/06/1
- [Other]http://www.openwall.com/lists/oss-security/2023/03/09/2
- [Exploit reference]https://bugzilla.mindrot.org/show_bug.cgi?id=3522
- [Patch]https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig
- [Patch]https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
- [Exploit reference]https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
- [Other]https://news.ycombinator.com/item?id=34711565
- [Other]https://security.gentoo.org/glsa/202307-01
- [Other]https://security.netapp.com/advisory/ntap-20230309-0003/
- [Exploit reference]https://www.openwall.com/lists/oss-security/2023/02/02/2
- [Other]http://www.openwall.com/lists/oss-security/2023/02/13/1
- [Other]http://www.openwall.com/lists/oss-security/2023/02/22/1
- [Other]http://www.openwall.com/lists/oss-security/2023/02/22/2
- [Other]http://www.openwall.com/lists/oss-security/2023/02/23/3
- [Other]http://www.openwall.com/lists/oss-security/2023/03/06/1
- [Other]http://www.openwall.com/lists/oss-security/2023/03/09/2
- [Exploit reference]https://bugzilla.mindrot.org/show_bug.cgi?id=3522
- [Patch]https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig
- [Patch]https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
- [Exploit reference]https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
- [Other]https://news.ycombinator.com/item?id=34711565
- [Other]https://security.gentoo.org/glsa/202307-01
- [Other]https://security.netapp.com/advisory/ntap-20230309-0003/
- [Exploit reference]https://www.openwall.com/lists/oss-security/2023/02/02/2
Related CVEs
Same vendor
- CVE-2026-3497 — Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions (7.5 HIGH)
- CVE-2025-22134 — When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because... (4.2 MEDIUM)
- CVE-2024-21262 — Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC) (6.5 MEDIUM)
- CVE-2024-43374 — The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling (4.5 MEDIUM)
- CVE-2024-28960 — An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto (8.2 HIGH)
Same CWE
- CVE-2026-35188 — Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, tr... (5.0 MEDIUM)
- CVE-2026-45324 — Rizin is a UNIX-like reverse engineering framework and command-line toolset (3.3 LOW)
- CVE-2026-44422 — FreeRDP is a free implementation of the Remote Desktop Protocol (7.5 HIGH)
- CVE-2026-46189 — In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error pa... (7.8 HIGH)
- CVE-2026-46183 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock ... (7.8 HIGH)