CVE-2023-25136

Published: Feb 3, 2023Modified: May 28, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Exploitability: 2.2 / Impact: 4.2

Source: NVD

Description

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

Affected (7)

Products: Openbsd: Openssh · Fedoraproject: Fedora · Netapp: Ontap Select Deploy Administration Utility, A250 Firmware, 500f Firmware, C250 Firmware

1 product

1 product

4 products

Ontap Select Deploy Administration Utility

A250 Firmware

500f Firmware

C250 Firmware

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openbsd Openssh	Version 9.1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 37
Fedoraproject Fedora	Version 38

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Ontap Select Deploy Administration Utility	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp A250 Firmware	All versions

Running on/with	Platform Versions
Netapp A250	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp 500f Firmware	All versions

Running on/with	Platform Versions
Netapp 500f	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp C250 Firmware	All versions

Running on/with	Platform Versions
Netapp C250	All versions

Related CWEs

CWE-415

Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References (32)

http://www.openwall.com/lists/oss-security/2023/02/13/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/02/22/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/02/22/2

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/02/23/3

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/03/06/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/03/09/2

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig

Source: cve@mitre.org

PatchVendor Advisory

https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946

Source: cve@mitre.org

PatchThird Party Advisory

https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/

Source: cve@mitre.org

ExploitThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/

Source: cve@mitre.org

https://news.ycombinator.com/item?id=34711565

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://security.gentoo.org/glsa/202307-01

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230309-0003/

Source: cve@mitre.org

Third Party Advisory

https://www.openwall.com/lists/oss-security/2023/02/02/2

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2023/02/13/1