Qualys released some research which resulted in two CVEs affecting OpenSSH versions 9.5p1 to 9.9p1 (inclusive). While CVE-2025-26465 affects the client only, CVE-2025-26466 is a DoS vulnerability affecting both server and client.

The DoS is due to an exhaustion of CPU and memory which affects both servers and clients (when connecting to evil servers).

Remediation Option 1: Update OpenSSH

If you are running a vulnerable version of OpenSSH, the best way to mitigate this is by simply updating the service to 9.9p2 (or better). In most cases, your Linux distribution will however not ship that version directly, but offer you a Backport of the fix to the version that is currently deployed. You can check the status of the vulnerability in the Security Trackers of various distributions:

• Debian: https://security-tracker.debian.org/tracker/CVE-2025-26466
• Ubuntu: https://ubuntu.com/security/CVE-2025-26466
• RHEL: https://access.redhat.com/security/cve/CVE-2025-26466

Even with the update, it may be reasonable to also apply/evaluate the hardening discussed in the alternative remediation option.

If, however, no update is available for you, you could compile a fixed version locally. Given the low impact of the vulnerability and other less intrusive mitigation options we discourage that in this case.

Remediation Option 2: Harden OpenSSH against DoS

The options LoginGraceTime, MaxStartups and PerSourcePenalties (9.8p1+) control various timeouts and limitations on clients attempting a connection with the server, thus completely mitigating the exploitation of this vulnerability for a DoS:

LoginGraceTime

The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.

https://man.openbsd.org/sshd_config#LoginGraceTime:

MaxStartups

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. […]

https://man.openbsd.org/sshd_config#MaxStartups

This can simply be a number or a colon-separated rate limiter, like the default of 10:30:100. Starting at 10 open unauthenticated connections, the rate limiter will start random early drop of a rate of 30% and increase that rate linearly to completely dropping all connections, when 100 open connections are present.

PerSourcePenalties

Controls penalties for various conditions that may represent attacks on sshd(8). If a penalty is enforced against a client then its source address and any others in the same network, as defined by PerSourceNetBlockSize, will be refused connection for a period.

A penalty doesn't affect concurrent connections in progress, […]