CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-26466

unknowncovered by 1 sourcefirst seen 2025-03-11
CVSSv3 Score: 5.9 CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. Revised on 2026-05-25 00:00:00

CSIRTS triage

What
A flaw allows a malicious client to cause a denial of service by consuming server memory.
Who is affected
OpenSSH servers that receive ping packets from malicious clients.
Urgency
Remediation is necessary as it can lead to server unavailability.
Action
Implement measures to limit or monitor incoming ping packets.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2025-26466

Get an email if CVE-2025-26466 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2025-26466

CVE.org record

Embed the live status

CVE-2025-26466 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2025-26466 status](https://www.csirts.com/badge/CVE-2025-26466)](https://www.csirts.com/cve/CVE-2025-26466)