Security Advisory 2023-008

Release Date:

Vulnerability in OpenSSH



  • 08/02/2023 --- v1.0 -- Initial publication


The development team of the OpenSSH suite has released the version 9.2 to address several security vulnerabilities, including a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136. This vulnerability can be exploited by a remote attacker to execute arbitrary code on the target system [1].

Technical Details

The flaw was introduced in OpenSSH 9.1 and it is a pre-authentication double-free memory fault in the chunk of memory freed twice, during options.kex_algorithms handling. An unauthenticated attacker can trigger the double-free in the default configuration.

The vendor believes that exploitation of this vulnerability has limitations as it occurs in the unprivileged pre-auth process that is subject to chroot and is further sandboxed on most major platforms.

Affected Products

OpenSSH server (sshd) version 9.1 is affected.


CERT-EU recommends updating to OpenSSH version 9.2.



We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.