{"id":"JLSEC-2026-66","details":"OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.\"","modified":"2026-04-09T21:45:26.731719Z","published":"2026-04-09T21:32:46.691Z","upstream":["CVE-2023-25136"],"database_specific":{"sources":[{"modified":"2024-11-21T07:49:10.877Z","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25136","imported":"2026-04-09T14:56:18.850Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-25136","id":"CVE-2023-25136","published":"2023-02-03T06:15:09.350Z"}],"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/13/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/22/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/22/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/23/3"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/03/06/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/03/09/2"},{"type":"WEB","url":"https://bugzilla.mindrot.org/show_bug.cgi?id=3522"},{"type":"WEB","url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig"},{"type":"WEB","url":"https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946"},{"type":"WEB","url":"https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=34711565"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202307-01"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20230309-0003/"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2023/02/02/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/13/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/22/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/22/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/02/23/3"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/03/06/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/03/09/2"},{"type":"WEB","url":"https://bugzilla.mindrot.org/show_bug.cgi?id=3522"},{"type":"WEB","url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig"},{"type":"WEB","url":"https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946"},{"type":"WEB","url":"https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=34711565"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202307-01"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20230309-0003/"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2023/02/02/2"}],"affected":[{"package":{"name":"OpenSSH_jll","ecosystem":"Julia","purl":"pkg:julia/OpenSSH_jll?uuid=9bd350c2-7e96-507f-8002-3f2e150b4e1b"},"ranges":[{"type":"SEMVER","events":[{"introduced":"8.9.0+0"},{"fixed":"9.1.0+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-66.json"}}],"schema_version":"1.7.5"}