===========================================================
== Subject:    Memory leak of ephemeral key pair during
==             repeated wrong KEX guessing may lead to DoS
==
== CVE ID#:    CVE-2025-8277
==
== Versions:   libssh >= 0.6.0, <= 0.11.3
==
== Summary:    Improper memory management during repeated key
==             exchange with incorrect guesses can cause memory
==             exhaustion and client-side DoS.
===========================================================

===========
Description
===========

A memory leak has been identified in libssh during the key exchange (KEX)
process when a client sets the `first_kex_packet_follows`
flag in the KEXINIT message (see Section 7.1 in RFC4253 [1])
and repeatedly makes incorrect KEX guesses. During several rekeys,
each guess allocates a new ephemeral key pair without freeing the
previous one in `session->next_crypto`. This can gradually exhaust
memory, especially with libgcrypt that uses a fixed-size SECMEM pool,
leading to allocation failures and crashes. This affects only the
case where the wrong guess is from the same group as the final algorithm
(eg. ecdh-sha2-nistp256 -> ecdh-sha2-nistp384) or when the same underlying
algorithm is used (curve25519-sha256 -> sntrup761x25519-sha512@openssh.com).
The issue affects all supported KEX algorithms in different crypto backends:

 - Curve25519 (libgcrypt, OpenSSL)
 - sntrup761x25519 (libgcrypt, OpenSSL)
 - ECDH (libgcrypt, mbedTLS, OpenSSL)
 - DH/DH-GEX (OpenSSL, internal implementation)

Additionally, some ephemeral keys were not freed at all in libgcrypt
and mbedtls backends and some fallback combinations could have caused
failures in packet filter.

Servers are not affected as they do not perform KEX guessing.
Exploitation requires an authenticated client to trigger many
rekeys, making severity low but relevant for stability.

The libssh does not guess the KEX algorithm by default. It is
possible to enable this feature only using internally accessible
session flag `session->send_first_kex_follows`.

[1] https://www.rfc-editor.org/rfc/rfc4253#section-7.1

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.11.3 has been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L (3.1)

==========
Workaround
==========
Do not use kex guessing.

=======
Credits
=======

Originally reported by Francesco Rollo.
Patches provided by Francesco Rollo and Jakub Jelen.

==========================================================
== The libssh team
==========================================================