CVE-2025-8277Missing Release of Memory after Effective Lifetime in Libssh

CWE-401Missing Release of Memory after Effective LifetimeCWE-400Uncontrolled Resource Consumption11 documents7 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 83.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
LibsshDebian LibsshMsrc Azl3 Libssh 0.10.6-2 ON Azure Linux 3.0+9 more
Timeline
PublishedSep 9
Latest updateFeb 23

Description

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 1.6 | Impact: 1.4

Affected Packages13 packages

debiandebian/libssh< libssh 0.10.6-0+deb12u2 (bookworm)
Debianlibssh/libssh< 0.9.8-0+deb11u2+3
Ubuntulibssh/libssh< 0.9.6-2ubuntu0.22.04.6+5

🔴Vulnerability Details

4
OSV
libssh vulnerabilities2026-02-23
OSV
libssh vulnerabilities2026-02-18
OSV
CVE-2025-8277: A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses2025-09-09
GHSA
GHSA-39mw-228p-wr6v: A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses2025-09-09

📋Vendor Advisories

6
Ubuntu
libssh vulnerabilities2026-02-23
Ubuntu
libssh vulnerabilities2026-02-18
Microsoft
Libssh: memory exhaustion via repeated key exchange in libssh2025-09-09
Red Hat
libssh: Memory Exhaustion via Repeated Key Exchange in libssh2025-09-09
Debian
CVE-2025-8277: libssh - A flaw was found in libssh's handling of key exchange (KEX) processes when a cli...2025