CVE-2023-25136
Summary
| CVE | CVE-2023-25136 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-02-03 06:15:09 UTC |
| Updated | 2026-05-28 18:16:28 UTC |
| Description | OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible." |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS: 0.883290000 probability, percentile 0.995130000 (date 2026-06-01)
Problem Types: CWE-415 | n/a | CWE-415 CWE-415 Double Free
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Operating System | Fedoraproject | Fedora | 38 | All | All | All |
| Hardware | Netapp | 500f | - | All | All | All |
| Operating System | Netapp | 500f Firmware | - | All | All | All |
| Hardware | Netapp | A250 | - | All | All | All |
| Operating System | Netapp | A250 Firmware | - | All | All | All |
| Hardware | Netapp | C250 | - | All | All | All |
| Operating System | Netapp | C250 Firmware | - | All | All | All |
| Application | Netapp | Ontap Select Deploy Administration Utility | - | All | All | All |
| Application | Openbsd | Openssh | 9.1 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 3522 – Crash with "free(): double free detected" with old clients | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.mindrot.org | Exploit, Issue Tracking, Third Party Advisory |
| oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| upstream: Always return allocated strings from the kex filtering so · openssh/openssh-portable@486c4dc · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch, Third Party Advisory |
| oss-security - double-free vulnerability in OpenSSH server 9.1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Exploit, Mailing List, Third Party Advisory |
| oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| [SECURITY] Fedora 37 Update: openssh-8.8p1-10.fc37 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| oss-security - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| CVE-2023-25136 OpenSSH Pre-Auth Double Free Writeup & PoC | af854a3a-2127-422b-91ae-364da2661108 | jfrog.com | Exploit, Third Party Advisory |
| oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| CVE-2023-25136 OpenSSH Vulnerability in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | Third Party Advisory |
| ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig | af854a3a-2127-422b-91ae-364da2661108 | ftp.openbsd.org | Patch, Vendor Advisory |
| oss-security - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| OpenSSH Pre-Auth Double Free – CVE-2023-25136 – Writeup and Proof-of-Concept | Hacker News | af854a3a-2127-422b-91ae-364da2661108 | news.ycombinator.com | Issue Tracking, Third Party Advisory |
| [SECURITY] Fedora 38 Update: openssh-9.0p1-15.fc38 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| OpenSSH: Remote Code Execution (GLSA 202307-01) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| [SECURITY] Fedora 37 Update: openssh-8.8p1-10.fc37 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| [SECURITY] Fedora 38 Update: openssh-9.0p1-15.fc38 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160641 Oracle Enterprise Linux Security Update for openssh (ELSA-2023-2645)
- 184729 Debian Security Update for openssh (CVE-2023-25136)
- 241463 Red Hat Update for openssh (RHSA-2023:2645)
- 283896 Fedora Security Update for openssh (FEDORA-2023-1176c8b10c)
- 284173 Fedora Security Update for openssh (FEDORA-2023-123647648e)
- 38888 OpenSSH server 9.1 'sshd(8)' Double-Free Vulnerability
- 673019 EulerOS Security Update for openssh (EulerOS-SA-2023-1981)
- 673022 EulerOS Security Update for openssh (EulerOS-SA-2023-1959)
- 710742 Gentoo Linux OpenSSH Remote Code Execution (RCE) Vulnerability (GLSA 202307-01)
- 905383 Common Base Linux Mariner (CBL-Mariner) Security Update for openssh (13208)
- 905384 Common Base Linux Mariner (CBL-Mariner) Security Update for openssh (13213)
- 941047 AlmaLinux Security Update for openssh (ALSA-2023:2645)