Skip to main content

OpenSSH CVE-2026-55653

| EUVDEUVD-2026-38412 MEDIUM
Double Free (CWE-415)
2026-06-23 redhat GHSA-28f3-55mq-pp68
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
4.3 MEDIUM

Network-delivered via malicious server (AV:N), no privileges needed on attacker side (PR:N), but victim must initiate the connection (UI:R); impact is client-process termination only (A:L), no C or I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
CVSS changed
Jun 25, 2026 - 17:07 NVD
4.3 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jun 23, 2026 - 04:16 vuln.today
CVE Published
Jun 23, 2026 - 03:36 cve.org
MEDIUM 4.3

DescriptionNVD

A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).

AnalysisAI

Client-side Denial of Service in OpenSSH's Diffie-Hellman Group Exchange implementation allows a malicious SSH server to crash connecting clients running in FIPS mode. When a victim initiates an SSH connection to an attacker-controlled server, the server sends crafted DH-GEX group parameters that trigger a double free (CWE-415) during FIPS known-group validation, terminating the client process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker deploys malicious SSH server
Delivery
Victim on FIPS-mode client initiates SSH connection
Exploit
Server presents crafted DH-GEX group parameters
Execution
FIPS known-group validation processes attacker-supplied parameters
Persist
Double free corrupts client heap
Impact
SSH client process terminates (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the OpenSSH client must be operating in FIPS mode - this is a non-default configuration typically enforced via system-wide FIPS policy (e.g., 'fips-mode-setup --enable' on RHEL) and is not present in standard installations; and (2) the victim user must actively initiate an SSH connection (UI:R) to a server controlled by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) reflects an availability-only impact limited to the client process (A:L, S:U), with no confidentiality or integrity consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a malicious SSH server on the internet (or on an internal network via server compromise or ARP poisoning) waits for a victim on a FIPS-mode RHEL or OpenShift system to initiate an SSH connection. When the victim's OpenSSH client begins the DH-GEX key exchange, the malicious server returns specially crafted group parameters that trigger the double free during FIPS known-group validation, causing the client process to crash and aborting the session. …
Remediation No specific patched version of OpenSSH or Red Hat package has been identified in the available data; administrators should monitor https://access.redhat.com/security/cve/CVE-2026-55653 for errata as Red Hat releases fixes. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Vendor StatusVendor

Debian

openssh
Release Status Fixed Version Urgency
bullseye undetermined 1:8.4p1-5+deb11u3 -
bullseye (security) undetermined 1:8.4p1-5+deb11u7 -
bookworm undetermined 1:9.2p1-2+deb12u10 -
bookworm (security) undetermined 1:9.2p1-2+deb12u9 -
trixie undetermined 1:10.0p1-7+deb13u4 -
trixie (security) undetermined 1:10.0p1-7+deb13u2 -
forky, sid undetermined 1:10.3p1-4 -
(unstable) fixed undetermined -

Share

CVE-2026-55653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy