{"api_version":"1","generated_at":"2026-04-22T22:50:33+00:00","cve":"CVE-2023-25136","urls":{"html":"https://cve.report/CVE-2023-25136","api":"https://cve.report/api/cve/CVE-2023-25136.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-25136","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-25136"},"summary":{"title":"CVE-2023-25136","description":"OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.\"","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-02-03 06:15:00","updated_at":"2023-11-07 04:08:00"},"problem_types":["CWE-415"],"metrics":[],"references":[{"url":"https://bugzilla.mindrot.org/show_bug.cgi?id=3522","name":"https://bugzilla.mindrot.org/show_bug.cgi?id=3522","refsource":"MISC","tags":[],"title":"3522 – Crash with \"free(): double free detected\" with old clients","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/","name":"FEDORA-2023-1176c8b10c","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: openssh-8.8p1-10.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230309-0003/","name":"https://security.netapp.com/advisory/ntap-20230309-0003/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-25136 OpenSSH Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/","name":"FEDORA-2023-123647648e","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: openssh-9.0p1-15.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2023/03/09/2","name":"[oss-security] 20230309 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","refsource":"MLIST","tags":[],"title":"oss-security - Re: Re: double-free vulnerability in OpenSSH server\n 9.1 (CVE-2023-25136)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2023/02/13/1","name":"[oss-security] 20230213 Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","refsource":"MLIST","tags":[],"title":"oss-security - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/","name":"https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/","refsource":"MISC","tags":[],"title":"CVE-2023-25136 OpenSSH Pre-Auth Double Free Writeup & PoC","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/","name":"FEDORA-2023-1176c8b10c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: openssh-8.8p1-10.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://news.ycombinator.com/item?id=34711565","name":"https://news.ycombinator.com/item?id=34711565","refsource":"MISC","tags":[],"title":"OpenSSH Pre-Auth Double Free – CVE-2023-25136 – Writeup and Proof-of-Concept | Hacker News","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2023/03/06/1","name":"[oss-security] 20230306 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","refsource":"MLIST","tags":[],"title":"oss-security - Re: Re: double-free vulnerability in OpenSSH server\n 9.1 (CVE-2023-25136)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2023/02/22/1","name":"[oss-security] 20230222 Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","refsource":"MLIST","tags":[],"title":"oss-security - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946","name":"https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946","refsource":"MISC","tags":[],"title":"upstream: Always return allocated strings from the kex filtering so · openssh/openssh-portable@486c4dc · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.openwall.com/lists/oss-security/2023/02/02/2","name":"https://www.openwall.com/lists/oss-security/2023/02/02/2","refsource":"MISC","tags":[],"title":"oss-security - double-free vulnerability in OpenSSH server 9.1","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2023/02/22/2","name":"[oss-security] 20230222 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","refsource":"MLIST","tags":[],"title":"oss-security - Re: Re: double-free vulnerability in OpenSSH server\n 9.1 (CVE-2023-25136)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/","name":"FEDORA-2023-123647648e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 38 Update: openssh-9.0p1-15.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2023/02/23/3","name":"[oss-security] 20230223 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","refsource":"MLIST","tags":[],"title":"oss-security - Re: Re: double-free vulnerability in OpenSSH server\n 9.1 (CVE-2023-25136)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202307-01","name":"GLSA-202307-01","refsource":"GENTOO","tags":[],"title":"OpenSSH: Remote Code Execution (GLSA 202307-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig","name":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig","refsource":"MISC","tags":[],"title":"","mime":"text/x-diff","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25136","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25136","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"500f","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"500f_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"a250","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"a250_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"c250","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"c250_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"ontap_select_deploy_administration_utility","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25136","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openssh","cpe5":"openssh","cpe6":"9.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-25136","qid":"160641","title":"Oracle Enterprise Linux Security Update for openssh (ELSA-2023-2645)"},{"cve":"CVE-2023-25136","qid":"184729","title":"Debian Security Update for openssh (CVE-2023-25136)"},{"cve":"CVE-2023-25136","qid":"241463","title":"Red Hat Update for openssh (RHSA-2023:2645)"},{"cve":"CVE-2023-25136","qid":"283896","title":"Fedora Security Update for openssh (FEDORA-2023-1176c8b10c)"},{"cve":"CVE-2023-25136","qid":"284173","title":"Fedora Security Update for openssh (FEDORA-2023-123647648e)"},{"cve":"CVE-2023-25136","qid":"38888","title":"OpenSSH server 9.1 'sshd(8)' Double-Free Vulnerability"},{"cve":"CVE-2023-25136","qid":"673019","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-1981)"},{"cve":"CVE-2023-25136","qid":"673022","title":"EulerOS Security Update for openssh (EulerOS-SA-2023-1959)"},{"cve":"CVE-2023-25136","qid":"710742","title":"Gentoo Linux OpenSSH Remote Code Execution (RCE) Vulnerability (GLSA 202307-01)"},{"cve":"CVE-2023-25136","qid":"905383","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for openssh (13208)"},{"cve":"CVE-2023-25136","qid":"905384","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for openssh (13213)"},{"cve":"CVE-2023-25136","qid":"941047","title":"AlmaLinux Security Update for openssh (ALSA-2023:2645)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-25136","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.\""}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig","refsource":"MISC","name":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig"},{"url":"https://www.openwall.com/lists/oss-security/2023/02/02/2","refsource":"MISC","name":"https://www.openwall.com/lists/oss-security/2023/02/02/2"},{"url":"https://bugzilla.mindrot.org/show_bug.cgi?id=3522","refsource":"MISC","name":"https://bugzilla.mindrot.org/show_bug.cgi?id=3522"},{"url":"https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946","refsource":"MISC","name":"https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946"},{"refsource":"MISC","name":"https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/","url":"https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/"},{"refsource":"MISC","name":"https://news.ycombinator.com/item?id=34711565","url":"https://news.ycombinator.com/item?id=34711565"},{"refsource":"MLIST","name":"[oss-security] 20230213 Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","url":"http://www.openwall.com/lists/oss-security/2023/02/13/1"},{"refsource":"MLIST","name":"[oss-security] 20230222 Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","url":"http://www.openwall.com/lists/oss-security/2023/02/22/1"},{"refsource":"MLIST","name":"[oss-security] 20230222 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","url":"http://www.openwall.com/lists/oss-security/2023/02/22/2"},{"refsource":"MLIST","name":"[oss-security] 20230223 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","url":"http://www.openwall.com/lists/oss-security/2023/02/23/3"},{"refsource":"MLIST","name":"[oss-security] 20230306 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","url":"http://www.openwall.com/lists/oss-security/2023/03/06/1"},{"refsource":"MLIST","name":"[oss-security] 20230309 Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)","url":"http://www.openwall.com/lists/oss-security/2023/03/09/2"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230309-0003/","url":"https://security.netapp.com/advisory/ntap-20230309-0003/"},{"refsource":"FEDORA","name":"FEDORA-2023-1176c8b10c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/"},{"refsource":"FEDORA","name":"FEDORA-2023-123647648e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/"},{"refsource":"GENTOO","name":"GLSA-202307-01","url":"https://security.gentoo.org/glsa/202307-01"}]}},"nvd":{"publishedDate":"2023-02-03 06:15:00","lastModifiedDate":"2023-11-07 04:08:00","problem_types":["CWE-415"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":4.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openssh:openssh:9.1:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:a250:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:500f:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:c250_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:c250:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":null,"notes":[]}}}