SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-26465

CVE-2025-26465: OpenBSD OpenSSH DNS Verification DoS Flaw

CVE-2025-26465 is a denial-of-service vulnerability in OpenBSD OpenSSH affecting DNS host key verification. Attackers can exploit mishandled error codes to perform MITM attacks. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2025-26465 Overview

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Critical Impact

A successful attack can completely compromise a victim's system with high confidentiality and integrity impact.

Affected Products

  • openbsd openssh
  • netapp active_iq_unified_manager
  • netapp ontap

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to openbsd
  • Not Available - CVE CVE-2025-26465 assigned
  • Not Available - openbsd releases security patch
  • 2025-02-18 - CVE CVE-2025-26465 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-26465

Vulnerability Analysis

The vulnerability lies in the mishandling of error codes while using the VerifyHostKeyDNS option in OpenSSH. This can allow an attacker, positioned between the client and server, to impersonate a legitimate server and perform a machine-in-the-middle attack.

Root Cause

Incorrect error code handling during host key verification in OpenSSH.

Attack Vector

Network-based attack with high complexity, requiring interaction with the victim's system to cause memory exhaustion.

c
// Example exploitation code (sanitized)
#include <stdio.h>
#include <stdlib.h>

int main() {
    char *exhaust_memory = malloc(1024*1024*1024); // Allocate 1GB
    if (exhaust_memory == NULL) {
        fprintf(stderr, "Memory allocation failed\n");
        return 1;
    }
    // Simulate network interaction
    free(exhaust_memory);
    return 0;
}

Detection Methods for CVE-2025-26465

Indicators of Compromise

  • Unexpected network traffic with SSH sessions
  • Memory exhaustion alerts during SSH client operation
  • Unusual error messages in SSH logs

Detection Strategies

Monitor for abnormal SSH traffic patterns and inspect logs for inconsistencies related to the VerifyHostKeyDNS option setting.

Monitoring Recommendations

Utilize SentinelOne to set up alerts for high memory usage on clients using SSH. Regularly review SSH logs for any suspicious activity.

How to Mitigate CVE-2025-26465

Immediate Actions Required

  • Disable the VerifyHostKeyDNS option in ssh_config
  • Monitor for unusual SSH activity
  • Limit network exposure of SSH servers

Patch Information

Apply the latest patches from OpenBSD for OpenSSH as described in vendor advisories.

Workarounds

Disable the use of VerifyHostKeyDNS on all SSH clients:

bash
# Configuration example for /etc/ssh/ssh_config
Host *
    VerifyHostKeyDNS no

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne