Security Bulletin: OpenSSH Vulnerabilities (CVE-2025-26465 and CVE-2025-26466)

Audience
Public
Product
FlashBlade
FlashArray
Content Type
Source Type
Common Vulnerabilities and Exposures (CVE)

Security Bulletin: OpenSSH Vulnerabilities (CVE-2025-26465 and CVE-2025-26466)

Vulnerability Status: Final Source: Third Party / OSS Initial Publication Date: 2025-02-18 Last Updated: 2026-06-25 06:26:21

Summary:

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.


CVE#: CVE-2025-26465

Vulnerability score (v3): 6.8

Vector (v3): 3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Severity (v3): 3 - Medium

Product(s): FlashArray, FlashBlade

Version First Fixed: Not affected


References:

https://nvd.nist.gov/vuln/detail/CVE-2025-26465