Vulnerability Management

Remediation Guide for OpenSSH CVE-2023-25136 Pre-Auth Double Free Vulnerability

The vulnerability was discovered in OpenSSH in version 9.1. It allows an unauthenticated attacker to trigger a double-free response when handling the options.kex_algorithms procedure.

Shivankar Singh

Written by Shivankar Singh

February 16, 2023 | 3 min read



On February 2, OpenSSH released the 9.2 update, which includes fixes for a previously known double-free vulnerability. The vulnerability was identified as CVE-2023-25136 and can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability is considered double-free because it allows an attacker to free up the system memory twice.

The vulnerability in OpenSSH allows attackers to perform arbitrary code execution, buffer overflow, and memory corruption. It is a pre-authentication double-free vulnerability that needs to be fixed.

About the CVE-2023-25136 – OpenSSH vulnerability

This vulnerability is a pre-authentication issue that allows an attacker to double-free a memory chunk in OpenSSH, a free and open-source library of the SSH (Secure Shell) protocol. An error in the options causes the issue.kex_algorithms function. The vulnerability is caused by incorrect handling of “options.kex_algorithms”.

The options.kex_algorithms is being freed twice. It frees for the first time when the function “do ssh2_kex” is called, which then calls the “compat_kex_proposal” function. When “options.kex_algorithms” is freed, it becomes a “dangling pointer” if a compatibility setting called “SSH_BUG_CURVE25519PAD” is not set and another called “SSH_OLD_DHGEX” is set. This means that it refers to memory that has been released and can no longer be used.

The implementation of “options.kex_algorithms” incorrectly frees up a chunk of memory that was previously freed by “kex_assemble_names”, with “listp” set to “&options.kex_algorithms”.

CVSS score of 9.8 is considered critical, and immediate fixes must be made.

What is OpenSSH?

Due to the increasing popularity of cloud computing and the need for remote access to various systems, OpenSSH became a vital tool for developers and system administrators.

OpenSSH is commonly used for secure remote access and communication. The OpenSSH project was created as a free and open-source source implementation of the secure-shell (SSH) communication protocol and is utilized by many applications.

An OpenSSH connection is secure and encrypted between two untrusted hosts on an insecure network. This is a useful tool for secure file transfer and remote login. OpenSSH is commonly used in various Unix-based systems, such as macOS and Linux. It is also used in modern and widely-used operating systems.

Affected versions 

The vulnerability affects all OpenSSH versions equal to or lower than the OpenSSH server (sshd 9.1. To fix this issue, please run the command below to check the version of OpenSSH running on your machine. 

ssh -V

How to remediate CVE-2023-25136- Double Free vulnerability in OpenSSH

To address the issue, OpenSSH has released a patch. The update fixes a vulnerability that allows people to bypass the authentication process to access the system. To confirm that you have the latest version of OpenSSH, you should upgrade to version 9.2 or 9.2p1 to ensure that the pre-authentication double-free vulnerability is fixed.

The installation process is simple if your distribution has a compelled version of the OpenSSH server.

  1. Check the OpenSSH version and run the following command to determine the OpenSSH version: 
$ ssh -V
  1. If you have an affected version- To fix the vulnerability, download the latest version, 9.2. of the OpenSSH package.


The latest version of OpenSSH 9.2 is recommended for users and customers to ensure that they have the necessary security measures to avoid potential security risks. OpenSSH has a long history of providing reliable and secure remote access, and this latest release of 9.2 adds numerous new features and improvements. These changes can help users keep up with the latest advancements and security measures.

How PingSafe can help you detect vulnerabilities

Pingsafe identifies, prioritizes, and responds to your cloud infrastructure’s most critical vulnerabilities and threats. PingSafe can help you monitor and improve your cloud security posture and protect yourself from attacks.

With the agentless platform from PingSafe, you can get a complete view of your cloud estate. Moreover, it deploys in minutes and gives you the necessary visibility into your cloud estate.

Besides having full coverage, PingSafe’s Vulnerability Management automatically identifies and prioritizes the most vulnerable areas and provides a comprehensive overview of your cloud environment’s most vulnerable components. This allows security teams to focus on the most critical threats. 

Sign up for a free personalized demo today!