Home

Description

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

PUBLISHED Reserved 2025-07-28 | Published 2025-09-09 | Updated 2025-10-08 | Assigner redhat




LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

Missing Release of Memory after Effective Lifetime

Product status

Default status
unaffected

0.6.0 (semver) before 0.11.3
affected

Default status
affected

Default status
unknown

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2025-07-28:Reported to Red Hat.
2025-09-09:Made public.

Credits

Red Hat would like to thank Francesco Rollo for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-8277 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2383888 (RHBZ#2383888) issue-tracking

cve.org (CVE-2025-8277)

nvd.nist.gov (CVE-2025-8277)

Download JSON