A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. It is strongly advised to apply updated libssh packages once available to prevent memory exhaustion risks on client systems.

History

Wed, 10 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Sep 2025 12:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.
Title Libssh: memory exhaustion via repeated key exchange in libssh
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-401
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-29T14:04:12.226Z

Reserved: 2025-07-28T11:02:27.938Z

Link: CVE-2025-8277

cve-icon Vulnrichment

Updated: 2025-09-09T19:28:21.032Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-09T12:15:30.677

Modified: 2025-09-09T16:28:43.660

Link: CVE-2025-8277

cve-icon Redhat

Severity : Low

Publid Date: 2025-09-09T00:00:00Z

Links: CVE-2025-8277 - Bugzilla

cve-icon OpenCVE Enrichment

No data.