Description


OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

References








https://bugzilla.mindrot.org/show_bug.cgi?id=3522

ExploitIssue TrackingThird Party Advisory






https://news.ycombinator.com/item?id=34711565

Issue TrackingThird Party Advisory



https://www.openwall.com/lists/oss-security/2023/02/02/2

ExploitMailing ListThird Party Advisory

Weaknesses



CWE-415

CVSS impact metrics


CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

6.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information


Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-02-03T06:15:09.350

2 years ago

Last modified

2024-02-27T15:15:14.617

1 year ago