CVE-2025-26466
CVSSv3 Score: 5.9 CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. Revised on 2026-05-25 00:00:00
CSIRTS triage
- What
- A flaw allows a malicious client to cause a denial of service by consuming server memory.
- Who is affected
- OpenSSH servers that receive ping packets from malicious clients.
- Urgency
- Remediation is necessary as it can lead to server unavailability.
- Action
- Implement measures to limit or monitor incoming ping packets.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2025-26466
Get an email if CVE-2025-26466 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Elevated exploitation risk38.5% 30-day exploitation probability — well above the norm. Schedule remediation this cycle. Riskier than 98% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownPre-authentication Denial of Service attack in OpenSSH - CVE-2025-26466fortinet · 2025-03-11
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2025-26466)