CVE-2025-26465
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malic
CVSS
6.8
Medium
EPSS
7.0%
p93
KEV
—
Exploit Today
28
0-100
Published: Feb 18, 2025 · Last modified: Jul 14, 2026 · CWE-390
7.0%EPSS · 30 days7.0%
2026-06-302026-07-16
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2025:16823
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2025:3837
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2025:6993
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2025:8385
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-26465
- access.redhat.comhttps://access.redhat.com/solutions/7109879
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2344780
- seclists.orghttps://seclists.org/oss-sec/2025/q1/144
- seclists.orghttp://seclists.org/fulldisclosure/2025/Feb/18
- seclists.orghttp://seclists.org/fulldisclosure/2025/May/7
- seclists.orghttp://seclists.org/fulldisclosure/2025/May/8
- blog.qualys.comhttps://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
- bugzilla.suse.comhttps://bugzilla.suse.com/show_bug.cgi?id=1237040
- ftp.openbsd.orghttps://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig
- lists.debian.orghttps://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
- lists.mindrot.orghttps://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html
- security-tracker.debian.orghttps://security-tracker.debian.org/tracker/CVE-2025-26465
- security.netapp.comhttps://security.netapp.com/advisory/ntap-20250228-0003/
- ubuntu.comhttps://ubuntu.com/security/CVE-2025-26465
- www.openssh.comhttps://www.openssh.com/releasenotes.html#9.9p2
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-534349.1 CRI29.0%
——9Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.14dCVE-2026-529899.8 CRI26.9%
——8In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.2d