CVE-2025-26465: 
Alma Linux vulnerability analysis and mitigation

A vulnerability (CVE-2025-26465) was discovered in OpenSSH versions 6.8p1 through 9.9p1 when the VerifyHostKeyDNS option is enabled. The vulnerability allows an active machine-in-the-middle attacker to impersonate any server by bypassing the client's host key verification checks. This vulnerability was introduced in December 2014 and affects the OpenSSH client when VerifyHostKeyDNS is set to either "yes" or "ask" (disabled by default). The issue was discovered and demonstrated to be exploitable by the Qualys Security Advisory team (Qualys Advisory, OpenSSH Release).

The vulnerability stems from a logic error in how OpenSSH handles error codes when verifying host keys. When sshkeyfromprivate() returns any non-zero error code other than -1 (SSHERRINTERNAL_ERROR), the verification process mistakenly returns success without properly checking the server's host key. The attack requires exhausting the client's memory resources first, making the attack complexity high. The vulnerability has a CVSS v3.1 base score of 6.8 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N (NVD).

If successfully exploited, attackers can perform machine-in-the-middle attacks to intercept or manipulate data transferred over SSH connections. This could allow viewing or manipulating sensitive data, lateral movement across multiple critical servers, and exfiltration of valuable information such as database credentials. Such breaches can lead to reputational damage, violation of compliance mandates (e.g., GDPR, HIPAA, PCI-DSS), and potential disruption of critical operations (The Register).

The vulnerability has been fixed in OpenSSH version 9.9p2. Organizations should upgrade to this version as soon as possible. For systems that cannot be immediately upgraded, the primary mitigation is to ensure the VerifyHostKeyDNS option is set to "no" (the default value) in the SSH client configuration. The fix is also available through various operating system vendors' security updates (OpenSSH Release, Debian Advisory).

The security community has responded with concern due to OpenSSH's widespread use in enterprise environments. High-profile organizations using OpenSSH include Facebook, Morgan Stanley, NetApp, Netflix, and Uber. Security researchers have emphasized the need for prompt patching, particularly given the immediate availability of proof-of-concept exploit code (The Register).