VDB
DEBIAN-CVE-2023-25136
DEBIAN-CVE-2023-25136
PUBLISHED
CVSS 6.5 MEDIUM
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | openssh | 0, 0, 0 |
| Debian:14 | openssh | 0, 0, 0 |
| Debian:13 | openssh | 0, 0, 0 |
Exploit Intelligence
- This vulnerability is of the "double-free" type, which occurs during the processing of key exchange (KEX) algorithms in OpenSSH. A "double-free" vulnerability happens when memory that has already been freed is freed again. This issue can indirectly lead to remote code execution (RCE) by an attacker. (github-poc-repo)
- Lane0218/CVE-2023-25136-PoC (github-poc-repo)
- Lane0218/CVE-2023-25136-PoC (github-poc)
- This vulnerability is of the "double-free" type, which occurs during the processing of key exchange (KEX) algorithms in OpenSSH. A "double-free" vulnerability happens when memory that has already been freed is freed again. This issue can indirectly lead to remote code execution (RCE) by an attacker. (github-poc)
- OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept (github-poc)
- Looking into the memory when sshd 9.1p1 aborts due to a double free bug. (github-poc)
- OpenSSH 9.1漏洞大规模扫描和利用 (github-poc)
- CVE-2023-25136 POC written by axylisdead (github-poc)
- OpenSSH 9.1 vulnerability mass scan and exploit (github-poc)
- OpenSSH Pre-Auth Double Free CVE-2023-25136 POC (github-poc)
…and 5 more exploits
Timeline
- Feb 3, 2023 CVE Published
- Apr 28, 2026 CVE Updated