CVE-2016-8858

HIGH

OpenSSH 6.x-7.3 - Denial of Service via Duplicate KEXINIT Requests

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-8858. PoCs published by dag-erling.

AI-analyzed exploit summary The repository contains a functional PoC (kexkill) that exploits CVE-2016-8858 by sending a stream of KEXINIT packets to an SSH server, causing memory exhaustion in vulnerable OpenSSH versions. The code includes a well-structured implementation with connection handling, packet crafting, and state management.

Description

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."

Exploits (1)

nomisec WORKING POC 7 stars

by dag-erling · poc

https://github.com/dag-erling/kexkill

View Code ZIP pw:eip

The repository contains a functional PoC (kexkill) that exploits CVE-2016-8858 by sending a stream of KEXINIT packets to an SSH server, causing memory exhaustion in vulnerable OpenSSH versions. The code includes a well-structured implementation with connection handling, packet crafting, and state management.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH (versions affected by CVE-2016-8858)

No auth needed

Prerequisites: Network access to the target SSH server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13

Core References

Issue Tracking, Vendor Advisory

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.126&r2=1.127&f=h

Issue Tracking, Patch, Third Party Advisory

https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad

Third Party Advisory

https://security.netapp.com/advisory/ntap-20180201-0001/

Third Party Advisory, VDB Entry vdb-entry

http://www.securityfocus.com/bid/93776

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2016/10/20/1

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2016/10/19/3

Patch, Vendor Advisory

https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/013_ssh_kexinit.patch.sig

Third Party Advisory vendor-advisory

https://security.FreeBSD.org/advisories/FreeBSD-SA-16:33.openssh.asc

Third Party Advisory, VDB Entry vdb-entry

http://www.securitytracker.com/id/1037057

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/201612-18

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1384860

Issue Tracking, Vendor Advisory

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup

Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Scores

CVSS v3 7.5

EPSS 0.2946

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-399 CWE-400

Status published

Products (6)

openbsd/openssh 6.8

openbsd/openssh 6.9

openbsd/openssh 7.0

openbsd/openssh 7.1

openbsd/openssh 7.2

openbsd/openssh 7.3

Published Dec 09, 2016

Tracked Since Feb 18, 2026