VDB
JLSEC-2026-66
JLSEC-2026-66
PUBLISHED
CVSS 8.600000381469727 HIGH
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Risk Scores
CVSS v4.0
8.600000381469727
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Julia | OpenSSH_jll | 8.9.0+0, 8.9.0+0 |
Timeline
- Apr 9, 2026 CVE Published
- Apr 9, 2026 CVE Updated
References
- http://www.openwall.com/lists/oss-security/2023/02/13/1 url
- http://www.openwall.com/lists/oss-security/2023/02/22/1 url
- http://www.openwall.com/lists/oss-security/2023/02/22/2 url
- http://www.openwall.com/lists/oss-security/2023/02/23/3 url
- http://www.openwall.com/lists/oss-security/2023/03/06/1 url
- http://www.openwall.com/lists/oss-security/2023/03/09/2 url
- https://bugzilla.mindrot.org/show_bug.cgi?id=3522 url
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig url
- https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946 url
- https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/ url
- https://news.ycombinator.com/item?id=34711565 url
- https://security.gentoo.org/glsa/202307-01 url
- https://security.netapp.com/advisory/ntap-20230309-0003/ url
- https://www.openwall.com/lists/oss-security/2023/02/02/2 url