OpenBSD OpenSSH SSH Server Implementation

OpenSSH GSSAPI Mechanism Count DoS Leading to DoS via Unbounded Mem
CVE-2025-58181 5.3 - Medium - November 19, 2025

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Allocation of Resources Without Limits or Throttling

OpenSSH Client: SSH Multiplexing Timeout Bypass Allows Post-Timeout File Ops
CVE-2025-54547 5.3 - Medium - October 29, 2025

On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired

Insufficient Session Expiration

OpenSSH unprivileged account allows persistent SSH/Service DoS
CVE-2025-59459 5.5 - Medium - October 27, 2025

An attacker that gains SSH access to an unprivileged account may be able to disrupt services (including SSH), causing persistent loss of availability.

Allocation of Resources Without Limits or Throttling

OpenSSH before 10.1 Null Byte in ssh:// URI ProxyCommand Code Execution
CVE-2025-61985 3.6 - Low - October 06, 2025

ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Improper Neutralization of Null Byte or NUL Character

OpenSSH 10.1-Prev: Username Ctrl Char Enables Code Exec via ProxyCommand
CVE-2025-61984 3.6 - Low - October 06, 2025

ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Improper Handling of Invalid Use of Special Elements

Local PrivEsc via SSH Script Input Validation Flaw in OpenSSH
CVE-2025-24005 7.8 - High - July 08, 2025

A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation.

Improper Input Validation

OpenSSH Hard-Coded Root /etc/shadow Entry (CVE-2025-48416)
CVE-2025-48416 8.1 - High - May 21, 2025

An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the "/etc/shadow" file in the firmware image for the "root" user. However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing the root user from logging in via SSH. This configuration can be bypassed/changed by an attacker through multiple paths though.

Hidden Functionality

OpenSSH <10.0: DisableForwarding fails to disable X11/agent forwarding
CVE-2025-32728 3.8 - Low - April 10, 2025

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

OpenSSH DoS via Ping-Pong Packet Queue Overflow
CVE-2025-26466 5.9 - Medium - February 28, 2025

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Allocation of Resources Without Limits or Throttling

OpenSSH File Transfer DoS via Slow Key Exchange
CVE-2025-22869 - February 26, 2025

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

OpenSSH VerifyHostKeyDNS DoS via Host Key Verification Error
CVE-2025-26465 6.8 - Medium - February 18, 2025

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Detection of Error Condition Without Action

OpenSSH SSHd SIGALRM Race Enables Remote RCE
CVE-2024-6409 7 - High - July 08, 2024

A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

Signal Handler Race Condition

OpenSSH 9.59.7 Timing Attack on echooff keystrokes
CVE-2024-39894 7.5 - High - July 02, 2024

OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.

TOCTTOU

OpenSSH Race Condition leading to RCE, known as regreSSHion
CVE-2024-6387 8.1 - High - July 01, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Signal Handler Race Condition

DoS via repeated SSH packets in OpenSSH
CVE-2024-32943 - June 20, 2024

An attacker may be able to cause a denial-of-service condition by sending many SSH packets repeatedly.

Insufficient anti-automation

OpenSSH Hard-Coded Root Account Remote Auth (CVE-2023-48251)
CVE-2023-48251 9.8 - Critical - January 10, 2024

The vulnerability allows a remote attacker to authenticate to the SSH service with root privileges through a hidden hard-coded account.

Use of Hard-coded Credentials

OpenSSH <10.0 RowHammer Auth Bypass via mm_answer_authpassword
CVE-2023-51767 - December 24, 2023

OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states "we do not consider it to be the application's responsibility to defend against platform architectural weaknesses."

OpenSSH <9.6 ssh-agent PKCS#11 Dest. Cons. Flaw
CVE-2023-51384 5.5 - Medium - December 18, 2023

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

OpenSSH <9.6 OS Command Injection via Username/Host Metacharacters
CVE-2023-51385 6.5 - Medium - December 18, 2023

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Shell injection

OpenSSH <9.6 BPP handshake flaw allows integrity bypass (Terrapin attack)
CVE-2023-48795 5.9 - Medium - December 18, 2023

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Improper Validation of Integrity Check Value

OpenSSH sftp-server NULL Deref via Missing Alloc Check DoS
CVE-2023-3603 6.5 - Medium - July 21, 2023

A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued.

NULL Pointer Dereference

OpenSSH SSH-Agent PKCS#11 RCE via untrusted path (pre-9.3p2)
CVE-2023-38408 9.8 - Critical - July 20, 2023

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Unquoted Search Path or Element

OpenSSH IPv4-mapped IPv6 Deny-list Bypass
CVE-2023-26431 4.3 - Medium - June 20, 2023

IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list. No publicly available exploits are known.

SSRF

OpenSSH (<9.3) ssh-add Smartcard keys added to ssh-agent without per-hop ACL
CVE-2023-28531 - March 17, 2023

ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.

OpenSSH 9.1 Double-Free RCE via kex_algorithms (sshd)
CVE-2023-25136 6.5 - Medium - February 03, 2023

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

Double-free

An issue was discovered in OpenSSH before 8.9
CVE-2021-36368 3.7 - Low - March 13, 2022

An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.

authentification

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used
CVE-2021-41617 7 - High - September 26, 2021

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

OpenSSH through 8.7 allows remote attackers, who have a suspicion
CVE-2016-20012 5.3 - Medium - September 15, 2021

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

ssh-agent in OpenSSH before 8.5 has a double free
CVE-2021-28041 7.1 - High - March 05, 2021

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

Double-free

scp in OpenSSH through 8.3p1
CVE-2020-15778 7.4 - High - July 24, 2020

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Shell injection

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation
CVE-2020-14145 5.9 - Medium - June 29, 2020

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

Side Channel Attack

The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which
CVE-2020-12062 7.5 - High - June 01, 2020

The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.

Improper Input Validation

OpenSSH 7.7 through 7.9 and 8.x before 8.1
CVE-2019-16905 7.8 - High - October 09, 2019

OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.

Integer Overflow or Wraparound

An issue was discovered in OpenSSH 7.9
CVE-2019-6109 6.8 - Medium - January 31, 2019

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

Output Sanitization

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output
CVE-2019-6110 6.8 - Medium - January 31, 2019

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Inappropriate Encoding for Output Context

An issue was discovered in OpenSSH 7.9
CVE-2019-6111 5.9 - Medium - January 31, 2019

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Directory traversal

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of
CVE-2018-20685 5.3 - Medium - January 10, 2019

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

AuthZ

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use
CVE-2018-15919 5.3 - Medium - August 28, 2018

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Information Disclosure

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed
CVE-2018-15473 5.9 - Medium - August 17, 2018

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Race Condition

sshd in OpenSSH before 7.4
CVE-2016-10708 7.5 - High - January 21, 2018

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

NULL Pointer Dereference

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which
CVE-2017-15906 5.3 - Medium - October 26, 2017

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Incorrect Permission Assignment for Critical Resource

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which
CVE-2016-1908 9.8 - Critical - April 11, 2017

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.

authentification

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which
CVE-2016-6210 5.9 - Medium - February 13, 2017

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Information Disclosure

authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might
CVE-2016-10011 5.5 - Medium - January 05, 2017

authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.

Key Management Errors

The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure
CVE-2016-10012 7.8 - High - January 05, 2017

The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.

Buffer Overflow

sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might
CVE-2016-10010 7 - High - January 05, 2017

sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.

Permissions, Privileges, and Access Controls

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4
CVE-2016-10009 7.3 - High - January 05, 2017

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

Untrusted Path

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3
CVE-2016-8858 7.5 - High - December 09, 2016

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."

Resource Management Errors

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which
CVE-2016-6515 7.5 - High - August 07, 2016

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.

Improper Input Validation

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories
CVE-2015-8325 7.8 - High - May 01, 2016

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.

Permissions, Privileges, and Access Controls