CVE-2025-26465: Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled

Published Feb 10, 2025
·
Updated

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Other sources

afpfs. The issue was addressed with improved memory handling.

Apple

afpfs. This issue was addressed with improved checks.

Apple

Apple Intelligence Reports. A permissions issue was addressed with additional restrictions.

Apple

AppleJPEG. The issue was addressed with improved input sanitization.

Apple

Audio. A double free issue was addressed with improved memory management.

Apple

Credit

Paweł Płatek (Trail(Bits), an anonymous researcher, LFY@@secsys(Fudan University), CVE-2025-26465, CVE-2025-26466, wac, Csaba Fitzl@@theevilbit(Kandji), Dave G., Kirin@@Pwnrin, 7feilee, Eric Dorphy(Twin Cities App Dev LLC), Adam M., Christian Kohlschütter, CVE-2024-8176, Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Lyutoon(Atredis Partners), YenKoc(Atredis Partners), Dayton Pidhirney(Atredis Partners), Mateusz Krzywicki@@krzywix, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Lucas Leong@@_wmliang_(Trend Micro Zero Day Initiative), Joseph Ravichandran@@0xjprx(MIT CSAIL), Dillon Franke(Google Project Zero), wac(Trend Micro Zero Day Initiative), Thomas Völkl@@vollkorntomate, SEEMOO, TU Darmstadt, Guilherme Rambo(Best Buddy Apps), Kirin@@Pwnrin(Fudan University), Bohdan Stasiuk@@bohdan_stasiuk, Saagar Jha, Tony Iskow@@Tybbow, Sourabhkumar Mishra, CertiK@@CertiK, @@RenwaX23, Ryan Dowd@@_rdowd, Noah Gregory (wts.dev), Google V8 Security Team, Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), Jiming Wang, Jikai Ren, Nan Wang@@eternalsakura13, rheza@@ginggilBesel(Palo Alto Networks), Edouard Bochin@@le_douds(Palo Alto Networks), Tao Yan@@Ga1ois(Palo Alto Networks), Yuhao Hu, Yan Kang, Chenggang Wu, Xiaojie Wei, Ignacio Sanmillan@@ulexec, Ivan Fratric(Google Project Zero), Juergen Schmied(Lynck GmbH), jioundai(360 Vulnerability Research Institute), chen fengjiao(HBC)

Affected Software

19 affected componentsFixes available
Apple macOS Sonoma<14.7.6
14.7.6
Apple macOS Sequoia<15.5
15.5
IBM DS8A00( R10.0 - R10.1 )<=10.1.3.0 - 10.10.106.0
IBM DS8900F ( R9.4)<=89.40.83.0-89.44.5.0
Microsoft cbl2 openssh 8.9p1-8
Patch available
Microsoft azl3 openssh 9.8p1-3
Patch available
Microsoft azl3 openssh 9.8p1-4
Patch available
Microsoft cbl2 openssh 8.9p1-7
Patch available
OpenBSD OpenSSH>=6.9<=9.8
OpenBSD OpenSSH=6.8-p1
OpenBSD OpenSSH=9.9
OpenBSD OpenSSH=9.9-p1
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Ontap=9
redhat OpenShift Container Platform=4.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0
redhat Enterprise Linux=9.0
debian/openssh<=1:8.4p1-5+deb11u3
1:8.4p1-5+deb11u71:9.2p1-2+deb12u101:9.2p1-2+deb12u91:10.0p1-7+deb13u41:10.0p1-7+deb13u21:10.3p1-4

Remediation

Patch Available

https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig

Event History

Feb 10, 2025
Data Sourced
via Red Hat·10:04 PM
DescriptionSeverityAffected Software
Feb 18, 2025
News Published
via The Register·03:30 PM
News Published
via The Register·03:33 PM
News Published
via BleepingComputer·05:07 PM
News Published
via BleepingComputer·05:08 PM
CVE Published
via MITRE·06:27 PM
Data Sourced
via MITRE·06:27 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 22, 2025
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverity
Mar 1, 2025
Known Exploited
02:54 AM
May 12, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Sep 26, 2025
Data Sourced
via Ubuntu·08:08 AM
RemedyDescriptionSeverityAffected Software
Dec 18, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
May 12, 2026
Data Sourced
via Launchpad·02:55 PM
Description
Jun 6, 2026
Data Sourced
via Debian·03:06 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-26465?

CVE-2025-26465 has a critical severity level due to the potential for a machine-in-the-middle attack.

2

How do I fix CVE-2025-26465?

To fix CVE-2025-26465, upgrade to OpenSSH versions 1:8.4p1-5+deb11u4, 1:9.2p1-2+deb12u5, or 1:9.9p2-1.

3

What systems are affected by CVE-2025-26465?

CVE-2025-26465 affects OpenSSH versions up to 1:8.4p1-5+deb11u3, 1:9.2p1-2+deb12u4, and 1:9.9p1-3.

4

Can CVE-2025-26465 lead to unauthorized access?

Yes, CVE-2025-26465 can allow an attacker to impersonate a legitimate server, potentially leading to unauthorized access.

5

Is it safe to use OpenSSH with VerifyHostKeyDNS enabled after the fix for CVE-2025-26465?

After applying the fix for CVE-2025-26465, using OpenSSH with VerifyHostKeyDNS enabled is considered safe.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203