cbcvebase.

Openbsd OpenSSH vulnerabilities

125 known vulnerabilities affecting openbsd/openssh.

Total CVEs
125
CISA KEV
0
Public exploits
24
Exploited in wild
10
Severity breakdown
CRITICAL12HIGH46MEDIUM54LOW13

Vulnerabilities

Page 3 of 7
CVE-2020-12062P3HIGHCVSS 7.5v8.22020-06-01
CVE-2020-12062 [HIGH] CWE-20 CVE-2020-12062: The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes syst The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to
nvdosv
CVE-2026-35385P3HIGHCVSS 8.1fixed in 10.32026-04-02
CVE-2026-35385 [HIGH] CWE-281 CVE-2026-35385: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contr In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
nvd
CVE-2026-35386P3HIGHCVSS 8.1fixed in 10.32026-04-02
CVE-2026-35386 [HIGH] CWE-696 CVE-2026-35386: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
nvd
CVE-2010-5107P3HIGHCVSS 7.5≤ 6.1v1.2+81 more2013-03-07
CVE-2010-5107 [HIGH] CWE-400 CVE-2010-5107: The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
nvdosv
CVE-2000-0992P4MEDIUMCVSS 5.0PoCv1.2v1.2.32000-12-19
CVE-2000-0992 [MEDIUM] CVE-2000-0992: Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to over Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack.
nvdosv
CVE-2025-26465P3MEDIUMCVSS 6.8≥ 6.9, ≤ 9.8v6.8+1 more2025-02-18
CVE-2025-26465 [MEDIUM] CWE-390 CVE-2025-26465: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-m A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker
nvdosv
CVE-2016-10708P3HIGHCVSS 7.5fixed in 7.42018-01-21
CVE-2016-10708 [HIGH] CWE-476 CVE-2016-10708: sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer derefe sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
nvdosv
CVE-2003-0786P3CRITICALCVSS 10.0v3.7.1v3.7.1p12003-11-17
CVE-2003-0786 [CRITICAL] CVE-2003-0786: The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separati The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges.
nvdosv
CVE-2019-16905P3HIGHCVSS 7.8≥ 7.7, ≤ 7.9≥ 8.0, < 8.12019-10-09
CVE-2019-16905 [HIGH] CWE-190 CVE-2019-16905: OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-a OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered exp
nvdosv
CVE-2016-10012P3HIGHCVSS 7.8≤ 7.32017-01-05
CVE-2016-10012 [HIGH] CWE-119 CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
nvdosv
CVE-2000-0999P3CRITICALCVSS 10.0v4.52000-12-11
CVE-2000-0999 [CRITICAL] CVE-2000-0999: Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.
nvd
CVE-2026-35414P3HIGHCVSS 8.1fixed in 10.32026-04-02
CVE-2026-35414 [HIGH] CWE-670 CVE-2026-35414: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
nvd
CVE-2024-39894P3HIGHCVSS 7.5≥ 0, < 1:9.8p1-12024-07-02
CVE-2024-39894 [HIGH] CVE-2024-39894: OpenSSH 9 OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
osv
CVE-2003-0693P3CRITICALCVSS 10.0≤ 3.72003-09-22
CVE-2003-0693 [CRITICAL] CVE-2003-0693: A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remo A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.
nvdosv
CVE-2014-1692P3HIGHCVSS 7.3≤ 6.42014-01-29
CVE-2014-1692 [HIGH] CWE-119 CVE-2014-1692: The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enabl The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.
nvd
CVE-2021-28041P3HIGHCVSS 7.1≥ 8.2, < 8.52021-03-05
CVE-2021-28041 [HIGH] CWE-415 CVE-2021-28041: ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenario ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
nvdosv
CVE-2015-8325P3HIGHCVSS 7.8≤ 7.22016-05-01
CVE-2015-8325 [HIGH] CWE-264 CVE-2015-8325: The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature i The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
nvdosv
CVE-2006-5794P3HIGHCVSS 7.5≤ 4.42006-11-08
CVE-2006-5794 [HIGH] CVE-2006-5794: Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weak Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known
nvdosv
CVE-2011-0539P3HIGHCVSS 7.5v5.6v5.72011-02-10
CVE-2011-0539 [HIGH] CWE-264 CVE-2011-0539: The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certifi The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.
nvdosv
CVE-2021-41617P3HIGHCVSS 7.0≥ 6.2, < 8.82021-09-26
CVE-2021-41617 [HIGH] CVE-2021-41617: sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration spec
nvdosv
Openbsd OpenSSH vulnerabilities | cvebase