CVE-2025-26466

MEDIUM

OpenSSH - Denial of Service via Ping Packet Memory Exhaustion

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-26466. PoCs published by rxerium, dolutech, tpirate.

AI-analyzed exploit summary This repository provides a Nuclei template for detecting vulnerable OpenSSH versions (9.5p1 to 9.9p1) affected by CVE-2025-26466. It is a passive scanner that matches SSH banner strings to identify potentially vulnerable hosts.

Description

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Exploits (4)

nomisec SCANNER 4 stars

by rxerium · poc

https://github.com/rxerium/CVE-2025-26466

View Code ZIP pw:eip

This repository provides a Nuclei template for detecting vulnerable OpenSSH versions (9.5p1 to 9.9p1) affected by CVE-2025-26466. It is a passive scanner that matches SSH banner strings to identify potentially vulnerable hosts.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: OpenSSH versions 9.5p1 to 9.9p1

No auth needed

Prerequisites: Nuclei installed · Network access to target host

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 1 stars

by dolutech · shellpoc

https://github.com/dolutech/patch-manual-CVE-2025-26465-e-CVE-2025-26466

View Code ZIP pw:eip

This repository provides a mitigation script for OpenSSH vulnerabilities CVE-2025-26465 and CVE-2025-26466, focusing on disabling VerifyHostKeyDNS and adjusting MaxStartups to prevent DoS attacks. It includes a detailed README and a bash script for automated mitigation.

Classification

Writeup 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: OpenSSH

No auth needed

Prerequisites: Access to modify SSH configuration files · Root or sudo privileges

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by tpirate · poc

https://github.com/tpirate/CVE-2025-26466

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-26466, which targets an OpenSSH vulnerability. The exploit initiates a TCP connection, sends crafted SSH packets, and loops sending ping requests without completing key exchange, leading to a denial-of-service condition due to unbounded pong responses.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH (version not specified)

No auth needed

Prerequisites: network access to target SSH port

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WORKING POC

by mrowkoob · poc

https://github.com/mrowkoob/CVE-2025-26466-msf

View Code ZIP pw:eip

This is a Metasploit module for CVE-2025-26466, which exploits a DoS vulnerability in OpenSSH (versions 9.5p1 to 9.9p1) by sending repeated SSH2_MSG_PING packets to exhaust server resources. The module includes options to control the number of packets and check for server responses.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: OpenSSH 9.5p1 to 9.9p1

No auth needed

Prerequisites: Network access to the target SSH server

MITRE ATT&CK