VYPR
← All advisories
High severity7.0NVD Advisory· Published Aug 24, 2015· Updated May 27, 2026

CVE-2015-6564

CVE-2015-6564

Description

Use-after-free in OpenSSH sshd's PAM privilege separation code allows local privilege escalation to root.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in OpenSSH sshd's PAM privilege separation code allows local privilege escalation to root.

Vulnerability

A use-after-free vulnerability exists in the mm_answer_pam_free_ctx function in monitor.c of OpenSSH's sshd on non-OpenBSD platforms. The bug is triggered when a MONITOR_REQ_PAM_FREE_CTX request is sent prematurely, causing the monitor process to reference freed memory. This affects Portable OpenSSH versions prior to 7.0 (i.e., versions <= 6.9p1) [2][3].

Exploitation

An attacker must first gain control of the unprivileged pre-authentication process (running as the sshd user) via remote code execution or other means. With that access, the attacker can send an early MONITOR_REQ_PAM_FREE_CTX request to the privileged monitor process, exploiting the use-after-free. No further authentication is needed [2][4].

Impact

Successful exploitation leads to privilege escalation from the sshd user to root (or other users) because the monitor runs with elevated privileges. The attacker gains full control of the SSH server and potentially the entire system [2][3].

Mitigation

Fixed in OpenSSH 7.0, released on 2015-08-11 [3]. Red Hat released an advisory (RHSA-2016-0741) for affected RHEL versions [1]. No workaround is available; users should upgrade to OpenSSH 7.0 or later.

References
  1. http://rhn.redhat.com/errata/RHSA-2016-0741.html
  2. OpenSSH PAM Privilege Separation Vulnerabilities
  3. http://www.openssh.com/txt/release-7.0
  4. oss-security - Re: CVE request

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

22

Patches

2
5e75f5198769

set sshpam_ctxt to NULL after free

https://github.com/openssh/openssh-portableDamien MillerAug 11, 2015via body-scan
commit
1 file changed · +3 1
  • monitor.c+3 1 modified
    @@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif
d4697fe9a28d

Don't resend username to PAM; it already has it.

https://github.com/openssh/openssh-portableDamien MillerAug 11, 2015via body-scan
commit
2 files changed · +0 3
  • monitor.c+0 2 modified
    @@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
 int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
-
 	debug3("%s", __func__);
-	authctxt->user = buffer_get_string(m, NULL);
 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
 	sshpam_authok = NULL;
 	buffer_clear(m);
  • monitor_wrap.c+0 1 modified
    @@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
 
 	debug3("%s", __func__);
 	buffer_init(&m);
-	buffer_put_cstring(&m, authctxt->user);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

16

News mentions

0

No linked articles in our index yet.