VYPR

Vendor CVEs

OpenBSD

All CVEs

337 total · sorted by risk
  • CVE-2003-0466CriAug 27, 2003
    risk 0.73cvss 9.8epss 0.78

    Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow,…

  • CVE-2002-0391CriAug 12, 2002
    risk 0.68cvss 9.8epss 0.58

    Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as…

  • CVE-2002-0083CriMar 15, 2002
    risk 0.68cvss 9.8epss 0.15

    Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.

  • CVE-2016-1908CriApr 11, 2017
    risk 0.65cvss 9.8epss 0.14

    The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging…

  • CVE-2002-0639CriJul 3, 2002
    risk 0.65cvss 9.8epss 0.18

    Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.

  • CVE-2024-6387HigJul 1, 2024
    risk 0.64cvss 8.1epss 1.00

    A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time…

  • CVE-2015-7687CriOct 16, 2017
    risk 0.64cvss 9.8epss 0.04

    Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.

  • CVE-2017-1000372CriJun 19, 2017
    risk 0.64cvss 9.8epss 0.04

    A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions.

  • CVE-2010-4478CriDec 6, 2010
    risk 0.64cvss 9.8epss 0.04

    OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round…

  • CVE-2016-0778HigJan 14, 2016
    risk 0.54cvss 8.1epss 0.20

    The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a…

  • CVE-2017-5850HigMar 27, 2017
    risk 0.53cvss 7.5epss 0.17

    httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header.

  • CVE-2015-5600HigAug 3, 2015
    risk 0.53cvss 8.1epss 0.09

    The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of…

  • CVE-2016-6241HigMar 7, 2017
    risk 0.51cvss 7.8epss 0.01

    Integer overflow in the amap_alloc1 function in OpenBSD 5.8 and 5.9 allows local users to execute arbitrary code with kernel privileges via a large size value.

  • CVE-2016-6240HigMar 7, 2017
    risk 0.51cvss 7.8epss 0.01

    Integer truncation error in the amap_alloc function in OpenBSD 5.8 and 5.9 allows local users to execute arbitrary code with kernel privileges via a large size value.

  • CVE-2016-8858HigDec 9, 2016
    risk 0.51cvss 7.5epss 0.29

    The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a…

  • CVE-2010-5107HigMar 7, 2013
    risk 0.50cvss 7.5epss 0.17

    The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP…

  • CVE-2004-0079HigNov 23, 2004
    risk 0.50cvss 7.5epss 0.10

    The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.

  • CVE-2026-35385HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

  • CVE-2026-3497HigMar 12, 2026
    risk 0.49cvss 7.5epss 0.02

    Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does…

  • CVE-2025-26465MedFeb 18, 2025
    risk 0.49cvss 6.8epss 0.07

    A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when…

  • CVE-2024-39894HigJul 2, 2024
    risk 0.49cvss 7.5epss 0.02

    OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.

  • CVE-2023-25136MedFeb 3, 2023
    risk 0.49cvss 6.5epss 0.90

    OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd…

  • CVE-2016-6244HigMar 7, 2017
    risk 0.49cvss 7.5epss 0.02

    The sys_thrsigdivert function in kern/kern_sig.c in the OpenBSD kernel 5.9 allows remote attackers to cause a denial of service (panic) via a negative "ts.tv_sec" value.

  • CVE-2011-0539HigFeb 10, 2011
    risk 0.49cvss 7.5epss 0.02

    The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it…

  • CVE-2006-5051HigSep 27, 2006
    risk 0.49cvss 8.1epss 0.45

    Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.

  • CVE-1999-0052HigNov 4, 1998
    risk 0.49cvss 7.5epss 0.02

    IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

  • CVE-2016-3115MedMar 22, 2016
    risk 0.48cvss 6.4epss 0.37

    Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

  • CVE-2014-1692HigJan 29, 2014
    risk 0.48cvss 7.3epss 0.05

    The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other…

  • CVE-2016-0777MedJan 14, 2016
    risk 0.47cvss 6.5epss 0.63

    The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.

  • CVE-2023-51767HigDec 24, 2023
    risk 0.46cvss 7.0epss 0.01

    OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of…

  • CVE-2021-41617HigSep 26, 2021
    risk 0.46cvss 7.0epss 0.02

    sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with…

  • CVE-2017-1000373MedJun 19, 2017
    risk 0.46cvss 6.5epss 0.13

    The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack…

  • CVE-2016-10009HigJan 5, 2017
    risk 0.46cvss 7.3epss 0.37

    Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

  • CVE-2019-6109MedJan 31, 2019
    risk 0.45cvss 6.8epss 0.04

    An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being…

  • CVE-2023-51385MedDec 18, 2023
    risk 0.44cvss 6.5epss 0.20

    In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters…

  • CVE-2016-10012HigJan 5, 2017
    risk 0.44cvss 7.8epss 0.01

    The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation…

  • CVE-2015-8325HigMay 1, 2016
    risk 0.44cvss 7.8epss 0.01

    The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the…

  • CVE-2016-10708HigJan 21, 2018
    risk 0.43cvss 7.5epss 0.16

    sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

  • CVE-2012-0814MedJan 27, 2012
    risk 0.43cvss 6.5epss 0.04

    The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by…

  • CVE-2016-10010HigJan 5, 2017
    risk 0.42cvss 7.0epss 0.04

    sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.

  • CVE-2014-2653MedMar 27, 2014
    risk 0.42cvss 6.5epss 0.02

    The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

  • CVE-2023-48795MedDec 18, 2023
    risk 0.39cvss 5.9epss 0.93

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently…

  • CVE-2015-6564HigAug 24, 2015
    risk 0.39cvss 7.0epss 0.01

    Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.

  • CVE-2001-1559MedDec 31, 2001
    risk 0.39cvss 5.5epss 0.01

    The uipc system calls (uipc_syscalls.c) in OpenBSD 2.9 and 3.0 provide user mode return instead of versus rval kernel mode values to the fdrelease function, which allows local users to cause a denial of service and trigger a null dereference.

  • CVE-2018-15473MedAug 17, 2018
    risk 0.38cvss 5.3epss 0.99

    OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  • CVE-2016-5117MedJan 31, 2017
    risk 0.38cvss 5.9epss 0.01

    OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.

  • CVE-2018-14775MedAug 1, 2018
    risk 0.36cvss 5.5epss 0.00

    tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3 has a Local Denial of Service (system crash) due to incorrect I/O port access control on the i386 architecture.

  • CVE-2016-6522MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    Integer overflow in the uvm_map_isavail function in uvm/uvm_map.c in OpenBSD 5.9 allows local users to cause a denial of service (kernel panic) via a crafted mmap call, which triggers the new mapping to overlap with an existing mapping.

  • CVE-2016-6350MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (NULL pointer dereference and panic) via a sysctl call with a path starting with 10,9.

  • CVE-2016-6247MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of service (kernel panic) by unmounting a filesystem with an open vnode on the mnt_vnodelist.

Page 1 of 7