Description
A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).
Published: 2026-06-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A double free flaw exists in the Diffie‑Hellman Group Exchange path of OpenSSH. When an SSH client operating in FIPS mode validates attacker‑controlled DH‑GEX group parameters, the server can trigger a double free, causing the client process to terminate. The result is a denial of service that affects only the client side, potentially disrupting automated workflows that rely on SSH connectivity.

Affected Systems

Red Hat Enterprise Linux 10, 6, 7, 8, 9, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4 all ship an affected OpenSSH client. Any host in these families that runs OpenSSH in FIPS mode is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 reflects a medium severity, indicating a limited but non‑negligible impact. The EPSS score is not available, so the likelihood of exploitation is uncertain, but the vulnerability is exploitable by any malicious SSH server the client connects to. It is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The attack vector is remote, originating from a compromised or malicious SSH server, and would require the client to engage in FIPS mode group validation to trigger the crash.

Generated by OpenCVE AI on June 23, 2026 at 04:21 UTC.

Remediation

Vendor Workaround

To mitigate this issue, OpenSSH clients operating in FIPS mode should avoid negotiating the `diffie-hellman-group-exchange-sha256` key exchange algorithm. This can be achieved by explicitly listing allowed key exchange algorithms in the client's SSH configuration file (e.g., `/etc/ssh/ssh_config` or `~/.ssh/config`), ensuring `diffie-hellman-group-exchange-sha256` is *not* included. For example, to use a subset of common algorithms, you might configure: ``` KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1 ``` (Note: The above example `KexAlgorithms` list is illustrative and should be adjusted based on your environment's security requirements.) Additionally, avoid using non-fatal client flows, such as `ssh-keyscan`, against untrusted SSH servers while FIPS mode is enabled. Changes to `ssh_config` will take effect for new SSH connections.


OpenCVE Recommended Actions

  • Edit the SSH client configuration to list an explicit KexAlgorithms set that excludes diffie-hellman-group-exchange-sha256, such as `curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1` .
  • Avoid using non‑fatal client flows such as `ssh-keyscan` against untrusted SSH servers while FIPS mode is enabled, as these may still trigger the vulnerable code path.
  • Check Red Hat’s security releases for an updated OpenSSH version that resolves the double free and apply the patch when it becomes available.

Generated by OpenCVE AI on June 23, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
References

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openssh
Openssh openssh
Redhat hardened Images
Redhat openshift Container Platform
Vendors & Products Openssh
Openssh openssh
Redhat hardened Images
Redhat openshift Container Platform

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).
Title Openssh: double free in red hat enterprise linux versions of openssh dh-gex client path during fips known-group validation leads to client-side denial of service
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-415
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}


Subscriptions

Openssh Openssh
Redhat Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T13:59:46.452Z

Reserved: 2026-06-16T23:55:05.737Z

Link: CVE-2026-55653

cve-icon Vulnrichment

Updated: 2026-06-23T14:30:56.850Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T23:17:43Z

Links: CVE-2026-55653 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:37Z

Weaknesses