Memory Exhaustion Vulnerability in libssh During Key Exchange Processes
CVE-2025-8277

3.1LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-8277?

A vulnerability exists in libssh that compromises the key exchange (KEX) process. When a client sends multiple incorrect KEX guesses, the library fails to release memory during the rekey operations, leading to gradual memory exhaustion. This issue can cause client-side crashes, especially when utilized with libgcrypt, thus affecting the overall stability and availability of applications that rely on libssh.

References

https://access.redhat.com/security/cve/CVE-2025-8277

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2383888

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Jul 28, 2025

Credit

Red Hat would like to thank Francesco Rollo for reporting this issue.