Qualys reports two flaws in OpenSSH, one critical DDoS

Qualys Threat Research Unit is reporting two vulnerabilities in OpenSSH, a widely-used open-source implementation of the SSH protocol that provides encrypted communication for secure remote access, file transfers, and tunneling over untrusted networks.

• CVE-2025-26466 (CVSS score 9.8), is a pre-authentication denial of service flaw introduced in OpenSSH 9.5p1 (August 2023). This vulnerability stems from unrestricted memory allocation during key exchange, leading to uncontrolled resource consumption. Attackers can exploit this by repeatedly sending small 16-byte ping messages, forcing OpenSSH to buffer 256-byte responses without immediate limits. During key exchange, these responses are stored indefinitely, potentially causing excessive memory consumption and CPU overload that could result in system crashes.
• CVE-2025-26465 (CVSS score 6.8), has remained undetected for over a decade since its introduction in December 2014 with OpenSSH 6.8p1. This flaw affects OpenSSH clients when the 'VerifyHostKeyDNS' option is enabled, allowing threat actors to perform man-in-the-middle attacks. The vulnerability succeeds regardless of whether VerifyHostKeyDNS is set to "yes" or "ask," requires no user interaction, and is independent of SSHFP record existence in DNS. While this option is disabled by default in OpenSSH, it was  enabled by default in FreeBSD from 2013 until 2023, potentially leaving many systems exposed.

OpenSSH has fixed both vulnerabilities with the release of version 9.9p2. Additionally, administrators are advised to disable VerifyHostKeyDNS unless absolutely necessary, and implement connection rate limits, as well as monitor SSH traffic for abnormal patterns.