CVE-2025-26465 is a vulnerability identified in OpenSSH version 6.8p1 that arises when the VerifyHostKeyDNS option is enabled. This option allows OpenSSH clients to verify the server's host key using DNS records, enhancing security by validating the server's identity. However, due to improper handling of error conditions during the host key verification process, OpenSSH fails to take appropriate action when certain errors occur. Specifically, the software mishandles error codes, which can be exploited by a malicious actor controlling a machine positioned between the client and the legitimate server (a machine-in-the-middle attack). The attacker can impersonate the legitimate server by exploiting this flaw, potentially intercepting or altering communications. A critical prerequisite for this attack is that the attacker must first exhaust the client's memory resources, which increases the attack complexity and reduces the likelihood of widespread exploitation. The vulnerability affects confidentiality and integrity by enabling unauthorized interception and modification of SSH sessions but does not impact availability. The CVSS 3.1 score of 6.8 reflects a network attack vector with high complexity, no privileges required, user interaction needed, and significant confidentiality and integrity impacts. No patches or exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of CVE-2025-26465 is the potential compromise of confidentiality and integrity of SSH sessions when VerifyHostKeyDNS is enabled. Successful exploitation allows an attacker to impersonate legitimate SSH servers, enabling interception and manipulation of sensitive data transmitted over SSH connections. This can lead to credential theft, unauthorized command execution, and data exfiltration. Although the attack complexity is high due to the need to exhaust client memory resources, targeted attacks against high-value assets remain a concern. Organizations relying on OpenSSH for secure remote access, especially those using DNS-based host key verification, face increased risk of MitM attacks. The vulnerability does not affect system availability directly but undermines trust in SSH communications, potentially disrupting secure administrative operations and automated processes. The absence of known exploits in the wild suggests limited current threat but does not preclude future exploitation as attackers develop techniques to overcome the memory exhaustion requirement.

To mitigate CVE-2025-26465, organizations should first verify if the VerifyHostKeyDNS option is enabled in their OpenSSH client configurations and consider disabling it if not strictly necessary. Disabling this option removes the vulnerable code path and reduces exposure. If DNS-based host key verification is required, ensure that DNSSEC is properly implemented and validated to reduce reliance on potentially spoofed DNS responses. Monitor client memory usage and implement resource limits to prevent exhaustion attacks. Upgrade OpenSSH to a version where this vulnerability is patched once available; until then, apply any vendor-provided workarounds or patches. Employ network-level protections such as SSH bastion hosts, VPNs, or strict firewall rules to limit exposure to untrusted networks. Educate users to recognize suspicious SSH connection warnings and enforce strict host key verification policies. Regularly audit SSH configurations and logs for anomalies indicating potential MitM attempts. Consider deploying intrusion detection systems capable of identifying unusual SSH traffic patterns.