In a recent release, the corrective version of openssh 9.9p1 has been made available to address two vulnerabilities identified by Qualys. These vulnerabilities could be exploited to perform a Man-in-the-Middle (MITM) attack, allowing an attacker to redirect SSH traffic to a fictitious server and bypass security checks.
The first vulnerability (CVE-2025-26465) stems from a logical error in the SSH utility, allowing for the circumvention of server identification checks and facilitating a MITM attack. This issue has been present since the Openssh 6.8p1 release in December 2014, particularly in configurations with the verifyhostkeydns setting.
The vulnerability arises from a flaw in the Verify_host_key_callback() function, where only the error code “-1” is recognized, ignoring other error codes such as “-2”. By creating conditions that prevent the allocation of memory in the Verify_host_key() function, an attacker can deceive the SSH client into accepting a fake host key.
The second vulnerability (CVE-2025-26466) affects both SSH clients and servers, allowing an attacker to exhaust process memory and increase CPU load by sending a large number of SSH2_MSG_PING packets. This memory leak issue has been present since the Openssh 9.5P1 release in August 2023. To mitigate this vulnerability, it is recommended to configure restrictions using directives such as Logingracetime, Maxstartups, and Persourcepenalties.