CVE-2023-25136

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

Published: Feb 3, 2023
Updated: May 10, 2024
CVE: CVE-2023-25136
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

CWEs:

CWE-415

Affected Software
References

Software	From	Fixed in
fedoraproject / fedora	37	37.x
fedoraproject / fedora	38	38.x
openbsd / openssh	9.1	9.1.x

http://www.openwall.com/lists/oss-security/2023/02/13/1
http://www.openwall.com/lists/oss-security/2023/02/22/1
http://www.openwall.com/lists/oss-security/2023/02/22/2
http://www.openwall.com/lists/oss-security/2023/02/23/3
http://www.openwall.com/lists/oss-security/2023/03/06/1
http://www.openwall.com/lists/oss-security/2023/03/09/2
https://bugzilla.mindrot.org/show_bug.cgi?id=3522
https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig
https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
https://lists.fedoraproject.org/archives/list/[email protected]/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
https://lists.fedoraproject.org/archives/list/[email protected]/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
https://news.ycombinator.com/item?id=34711565
https://security.gentoo.org/glsa/202307-01
https://security.netapp.com/advisory/ntap-20230309-0003/
https://www.openwall.com/lists/oss-security/2023/02/02/2

Vulnerability Database

289,697

CVE-2023-25136