Qualys released some research which resulted in two CVEs affecting OpenSSH versions 9.5p1 to 9.9p1 (inclusive). While CVE-2025-26465 affects the client only, CVE-2025-26466 is a DoS vulnerability affecting both server and client.
Through the first vulnerability, an evil server could bypass integrity checks run by the SSH client and thus impersonate a legitimate server. This depends on non-default setting in the ssh configuration file of the client and does not affect the sshd server.
If you are running a vulnerable version of OpenSSH, the best way to mitigate this is by simply updating the service to 9.9p2 (or better). In most cases, your Linux distribution will however not ship that version directly, but offer you a ‣ of the fix to the version that is currently deployed. You can check the status of the vulnerability in the Security Trackers of various distributions:
If, however, no update is available for you, you could compile a fixed version locally. Assuming you do not crucially depend on the vulnerable configuration option, we recommend simply disabling this option as a much less intrusive mitigation and discourage compiling OpenSSH manually.
This configuration option is generally disabled by default. You can check your system and your user’s home configuration file for said option:
grep 'VerifyHostKeyDNS' /etc/ssh/ssh_config ~/.ssh/config || echo 'No vulnerable configuration found'
This will check for any line containing the vulnerable configuration option (even if set to No) in the relevant files and print it, if it was found.
<aside> ❗
Note: If you have setup your SSH to use more complex Include statements within your SSH configuration, you better check that manually.
</aside>
To shield against the exploitation of the vulnerability, simply remove those lines or set them to No.