CVE-2023-51767
Description
CVE-2023-51767 describes a potential authentication bypass in OpenSSH via row hammer attacks causing a single bit flip in the 'authenticated' variable, though the supplier disputes its applicability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-51767 describes a potential authentication bypass in OpenSSH via row hammer attacks causing a single bit flip in the 'authenticated' variable, though the supplier disputes its applicability.
Vulnerability
According to the CVE description and references [1][2][4], OpenSSH through version 10.0, when used with common DRAM types, might be susceptible to row hammer attacks. The specific concern is that the integer value of authenticated in the mm_answer_authpassword function could be flipped by a single bit, leading to authentication bypass. The vulnerability requires attacker-victim co-location with the attacker having user privileges. The supplier disputes this, stating it is not the application's responsibility to defend against platform architectural weaknesses [3].
Exploitation
Exploitation would require the attacker to be co-located on the same system as the victim, with user-level privileges, and to execute a row hammer attack to induce a single bit flip in the authenticated variable during the authentication process [2][4]. The attacker would need to perform memory access patterns that cause DRAM row hammering, which is a platform-level attack.
Impact
If successfully exploited, the attacker could bypass authentication in OpenSSH, potentially gaining unauthorized access to the system. However, the OpenSSH developers and some third parties consider this infeasible in practice, as it depends on overcoming platform-level mitigations like ECC memory and modern DRAM refresh rates [3][4].
Mitigation
No official patch has been released by the OpenSSH project, as they dispute the vulnerability's validity [3]. Workarounds include using ECC memory, enabling hardware mitigations for row hammer attacks, and relying on platform security features. Ubuntu notes that the attack was demonstrated on a modified version of sshd and is not considered practically exploitable [4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
30- OpenSSH/OpenSSHdescription
- Range: <=10.0
- osv-coords28 versionspkg:apk/chainguard/opensshpkg:apk/chainguard/openssh-clientpkg:apk/chainguard/openssh-docpkg:apk/chainguard/openssh-keygenpkg:apk/chainguard/openssh-keyscanpkg:apk/chainguard/openssh-keysignpkg:apk/chainguard/openssh-pam-configpkg:apk/chainguard/openssh-pam-configurationpkg:apk/chainguard/openssh-pkcs11-helperpkg:apk/chainguard/openssh-serverpkg:apk/chainguard/openssh-server-configpkg:apk/chainguard/openssh-servicepkg:apk/chainguard/openssh-sftp-serverpkg:apk/chainguard/openssh-sk-helperpkg:apk/wolfi/opensshpkg:apk/wolfi/openssh-clientpkg:apk/wolfi/openssh-docpkg:apk/wolfi/openssh-keygenpkg:apk/wolfi/openssh-keyscanpkg:apk/wolfi/openssh-keysignpkg:apk/wolfi/openssh-pam-configpkg:apk/wolfi/openssh-pam-configurationpkg:apk/wolfi/openssh-pkcs11-helperpkg:apk/wolfi/openssh-serverpkg:apk/wolfi/openssh-server-configpkg:apk/wolfi/openssh-servicepkg:apk/wolfi/openssh-sftp-serverpkg:apk/wolfi/openssh-sk-helper
< 9.6_p1-r0+ 27 more
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
- (no CPE)range: < 9.6_p1-r0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The integer value of authenticated in mm_answer_authpassword does not resist bit flips from row hammer attacks."
Attack vector
An attacker with user privileges on a co-located system can exploit row hammer vulnerabilities in DRAM to flip bits in memory. This can corrupt the authenticated integer value used in OpenSSH's authentication process. The corrupted value may then be interpreted incorrectly, potentially leading to an authentication bypass.
Affected code
The vulnerability is described as affecting the `mm_answer_authpassword` function within OpenSSH.
What the fix does
The advisory does not specify a patch or remediation steps. The supplier disputes the vulnerability, stating that it is not the application's responsibility to defend against platform architectural weaknesses.
Preconditions
- configThe system must use common types of DRAM susceptible to row hammer attacks.
- authThe attacker must have user privileges on the system.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
34- access.redhat.com/security/cve/CVE-2023-51767nvdThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory
- security.netapp.com/advisory/ntap-20240125-0006/nvdThird Party Advisory
- ubuntu.com/security/CVE-2023-51767nvdThird Party Advisory
- arxiv.org/abs/2309.02545nvdTechnical Description
- github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.cnvdProduct
- github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.cnvdProduct
- www.openwall.com/lists/oss-security/2025/09/22/1nvd
- www.openwall.com/lists/oss-security/2025/09/22/2nvd
- www.openwall.com/lists/oss-security/2025/09/23/1nvd
- www.openwall.com/lists/oss-security/2025/09/23/3nvd
- www.openwall.com/lists/oss-security/2025/09/23/4nvd
- www.openwall.com/lists/oss-security/2025/09/23/5nvd
- www.openwall.com/lists/oss-security/2025/09/24/4nvd
- www.openwall.com/lists/oss-security/2025/09/24/7nvd
- www.openwall.com/lists/oss-security/2025/09/25/2nvd
- www.openwall.com/lists/oss-security/2025/09/25/6nvd
- www.openwall.com/lists/oss-security/2025/09/26/2nvd
- www.openwall.com/lists/oss-security/2025/09/26/4nvd
- www.openwall.com/lists/oss-security/2025/09/27/1nvd
- www.openwall.com/lists/oss-security/2025/09/27/2nvd
- www.openwall.com/lists/oss-security/2025/09/27/3nvd
- www.openwall.com/lists/oss-security/2025/09/27/4nvd
- www.openwall.com/lists/oss-security/2025/09/27/5nvd
- www.openwall.com/lists/oss-security/2025/09/27/6nvd
- www.openwall.com/lists/oss-security/2025/09/27/7nvd
- www.openwall.com/lists/oss-security/2025/09/28/7nvd
- www.openwall.com/lists/oss-security/2025/09/29/1nvd
- www.openwall.com/lists/oss-security/2025/09/29/4nvd
- www.openwall.com/lists/oss-security/2025/09/29/5nvd
- www.openwall.com/lists/oss-security/2025/09/29/6nvd
- www.openwall.com/lists/oss-security/2025/10/01/1nvd
- www.openwall.com/lists/oss-security/2025/10/01/2nvd
- www.openwall.com/lists/oss-security/2025/09/22/1nvd
News mentions
0No linked articles in our index yet.