VDB
JLSEC-2026-72
JLSEC-2026-72
PUBLISHED
CVSS 9.199999809265137 CRITICAL
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
Risk Scores
CVSS 4.0
9.199999809265137
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Julia | OpenSSH_jll | 0, 0 |
Timeline
- Apr 9, 2026 CVE Published
- Apr 9, 2026 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
References
- https://access.redhat.com/errata/RHSA-2025:16823 url
- https://access.redhat.com/errata/RHSA-2025:3837 url
- https://access.redhat.com/errata/RHSA-2025:6993 url
- https://access.redhat.com/errata/RHSA-2025:8385 url
- https://access.redhat.com/security/cve/CVE-2025-26465 url
- https://access.redhat.com/solutions/7109879 url
- https://bugzilla.redhat.com/show_bug.cgi?id=2344780 url
- https://seclists.org/oss-sec/2025/q1/144 url
- http://seclists.org/fulldisclosure/2025/Feb/18 url
- http://seclists.org/fulldisclosure/2025/May/7 url
- http://seclists.org/fulldisclosure/2025/May/8 url
- https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466 url
- https://bugzilla.suse.com/show_bug.cgi?id=1237040 url
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig url
- https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html url
- https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html url
- https://security-tracker.debian.org/tracker/CVE-2025-26465 url
- https://security.netapp.com/advisory/ntap-20250228-0003/ url
- https://ubuntu.com/security/CVE-2025-26465 url
- https://www.openssh.com/releasenotes.html#9.9p2 url
…and 5 more