Openssh: double free in red hat enterprise linux versions of openssh dh-gex client path during fips known-group validation leads to client-side denial of service
Description
A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes attacker-controlled DH-GEX group parameters. Successful exploitation leads to client-side process termination, resulting in a Denial of Service (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing pointer nullification after ownership transfer in `input_kex_dh_gex_group()` allows a double free when FIPS known-group validation fails."
Attack vector
An attacker-controlled SSH server negotiates `diffie-hellman-group-exchange-sha256` with an affected client and returns DH group parameters `(p, g)` that pass the size check but fail the FIPS known-group validation. The client's `input_kex_dh_gex_group()` function transfers ownership of those BIGNUMs into `kex->dh` via `dh_new_group()`, then jumps to `out` on the validation failure without nulling the local pointers. The local cleanup frees the BIGNUMs, and later teardown in `kex_free()` calls `DH_free(kex->dh)`, which frees the same objects again, causing a double free [ref_id=1].
Affected code
The vulnerability is in `kexgexc.c` in the `input_kex_dh_gex_group()` function, with later teardown in `kex.c` (`kex_free()`). The bug occurs because the pointer nullification (`p = g = NULL`) is placed *after* the FIPS known-group check, so when that check fails and execution jumps to `out`, the local `BN_clear_free()` calls free BIGNUMs that are already owned by `kex->dh`, and a subsequent `DH_free(kex->dh)` frees them again.
What the fix does
The proposed patch moves the `p = g = NULL` assignment immediately after the successful `dh_new_group()` call, before the FIPS known-group check. This ensures that when the validation fails and execution jumps to `out`, the local pointers are already null, so the `BN_clear_free()` calls are no-ops and the BIGNUMs remain owned solely by `kex->dh` for proper cleanup via `DH_free()` [ref_id=1].
Preconditions
- configClient must be built with OpenSSL support and run in FIPS mode
- configClient must negotiate `diffie-hellman-group-exchange-sha256` with the attacker-controlled server
- inputAttacker-controlled SSH server returns DH group parameters that pass size checks but fail `dh_is_known_group()`
- configClient must use a non-fatal flow such as `ssh-keyscan` that continues to teardown after the validation error
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- access.redhat.com/security/cve/CVE-2026-55653mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.