CVE-2025-26466: 
OpenSSH vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2025-26466) was discovered in OpenSSH versions 9.5p1 through 9.9p1. The flaw exists in the OpenSSH package where for each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages, which is only freed when the server/client key exchange has finished. This vulnerability was introduced in August 2023 (shortly before OpenSSH 9.5p1) by commit dce6d80 that introduced a transport-level ping facility (Qualys Advisory, OpenSSH Release).

The vulnerability involves an asymmetric resource consumption of both memory and CPU. For every 16B PING packet received, a PONG buffer of 256B (SSHBUFSIZEINIT) is allocated and not freed until the key exchange ends. During a key exchange, PONG packets are appended to a list of outgoing packets with unlimited growth potential, as opposed to normal operation where packets are limited by the maximum output buffer size of 128MB (Qualys Advisory). The vulnerability has been assigned a CVSS score of 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu Security).

A malicious client can exploit this vulnerability by continuously sending ping packets, leading to an uncontrolled increase in memory consumption on the server side. This can result in the server becoming unavailable, effectively creating a denial of service condition. The attack affects both the client and server, with the server side being particularly vulnerable to memory exhaustion and CPU consumption (MITRE CVE).

On the server side, this attack can be mitigated using built-in OpenSSH mechanisms: LoginGraceTime (which kills memory-consuming connections after 2 minutes), MaxStartups, and PerSourcePenalties (in OpenSSH 9.8p1 and newer). A complete fix is available in OpenSSH 9.9p2. System administrators should update to this version or apply the relevant security patches for their distribution (OpenSSH Release).