DoS/OOM leak vulnerability in Apache Mina SSHD Server
Description
Apache Mina SSHD versions 2.0.0 through 2.6.x have a memory overflow vulnerability in sshd-core affecting SFTP and port forwarding, leading to denial of service via OutOfMemory error.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Mina SSHD versions 2.0.0 through 2.6.x have a memory overflow vulnerability in sshd-core affecting SFTP and port forwarding, leading to denial of service via OutOfMemory error.
Vulnerability
A vulnerability exists in the sshd-core module of Apache Mina SSHD, specifically in the BufferedIoOutputStream class, where an unbounded amount of data can be written to the buffer without an upper limit [2]. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions up to and including 2.6.x [1][3]. The fix was introduced in version 2.7.0 [1][3]. The BufferedIoOutputStream does not impose a maximum data pending limit, allowing an attacker to write an arbitrary amount of data until the server runs out of memory [2].
Exploitation
An attacker needs network access to the vulnerable Mina SSHD server. No authentication is required because the vulnerability can be triggered during the unauthenticated phase of the SFTP or port forwarding session setup [1][3]. By sending a specially crafted sequence of data packets that exploit the unbounded buffering, the attacker can cause the server to accumulate large amounts of data in memory without blocking, leading to an OutOfMemory error [2][3]. This is a denial-of-service attack that does not require any user interaction or special privileges [1].
Impact
Successful exploitation results in denial of service due to an OutOfMemory error. The server becomes unresponsive or crashes, impacting the availability of the SFTP and port forwarding services [1][3]. The confidentiality and integrity of data are not directly affected, but the service disruption can lead to operational downtime [1].
Mitigation
Apache Mina SSHD version 2.7.0 addresses this issue by adding an upper bound to the data pending in the BufferedIoOutputStream, typically set to the maximum window size, blocking writes when the buffer is full to prevent memory exhaustion [2][3]. Users should upgrade to version 2.7.0 or later. There is no known workaround for unpatched versions [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.sshd:sshd-minaMaven | >= 2.0.0, < 2.7.0 | 2.7.0 |
org.apache.sshd:sshd-coreMaven | >= 2.0.0, < 2.7.0 | 2.7.0 |
Affected products
3- ghsa-coords2 versions
>= 2.0.0, < 2.7.0+ 1 more
- (no CPE)range: >= 2.0.0, < 2.7.0
- (no CPE)range: >= 2.0.0, < 2.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-9279-7hph-r3xwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-30129ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/07/12/1ghsamailing-listx_refsource_MLISTWEB
- issues.apache.org/jira/browse/SSHD-1125ghsaWEB
- lists.apache.org/thread.html/r6d4f78e192a0c8eabd671a018da464024642980ecd24096bde6db36f%40%3Cusers.mina.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r6d4f78e192a0c8eabd671a018da464024642980ecd24096bde6db36f@%3Cusers.mina.apache.org%3EghsaWEB
- lists.apache.org/thread.html/red01829efa2a8c893c4baff4f23c9312bd938543a9b8658e172b853b%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/red01829efa2a8c893c4baff4f23c9312bd938543a9b8658e172b853b@%3Cannounce.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.