CVE-2025-67419

8.10.23%

regreSSHion: The Zombie Bug That Just Won't Die

Amit Schendel

Senior Security Researcher

Jan 6, 2026·5 min read·3 visits

PoC AvailableCISA KEV Listed

Executive Summary (TL;DR)

OpenSSH server (sshd) contains a critical race condition. By manipulating the `LoginGraceTime` timeout, an attacker can interrupt the server's execution flow in a way that corrupts the heap, leading to unauthenticated remote code execution as root. If you are running OpenSSH versions 8.5p1 to 9.7p1 on Linux, patch immediately.

A signal handler race condition in OpenSSH's sshd allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This is a regression of CVE-2006-5051, proving that history doesn't just repeat itself—it recompiles.

Official Patches

OpenSSHOpenSSH 9.8 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score

8.1/ 10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.23%

Top 35% most exploited

14,000,000

Estimated exposed hosts via Shodan

Affected Systems

Linux (glibc based)DebianUbuntuFedoraRed Hat Enterprise Linux

Affected Versions Detail

Product	Affected Versions	Fixed Version
OpenSSH OpenBSD	>= 8.5p1, < 9.8p1	9.8p1

Attribute	Detail
CWE ID	CWE-364 (Signal Handler Race Condition)
Attack Vector	Network (AV:N)
CVSS Score	8.1 (High)
Privileges Required	None (PR:N)
User Interaction	None (UI:N)
Exploit Status	Proof of Concept (High Complexity)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1068Exploitation for Privilege Escalation

Privilege Escalation

CWE-364

Signal Handler Race Condition

The software handles a signal in a way that causes the application to enter an inconsistent state, specifically by invoking functions that are not async-signal-safe.

Known Exploits & Detection

QualysOriginal Advisory and Technical Deep Dive

GitHubProof of Concept code (race condition verification)

NucleiDetection Template Available

Vulnerability Timeline

Original bug CVE-2006-5051 fixed

2006-09-28

Vulnerability reintroduced in OpenSSH 8.5p1

2020-10-01

Qualys discloses regreSSHion (CVE-2024-6387)

2024-07-01

OpenSSH 9.8p1 released with fix

2024-07-01

CVE-2025-67419

8.10.23%

regreSSHion: The Zombie Bug That Just Won't Die

Amit Schendel

Senior Security Researcher

Jan 6, 2026·5 min read·3 visits

PoC AvailableCISA KEV Listed

Executive Summary (TL;DR)

Attack Flow Diagram

Official Patches

OpenSSHOpenSSH 9.8 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score

8.1/ 10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.23%

Top 35% most exploited

14,000,000

Estimated exposed hosts via Shodan

Affected Systems

Linux (glibc based)DebianUbuntuFedoraRed Hat Enterprise Linux

Affected Versions Detail

Product	Affected Versions	Fixed Version
OpenSSH OpenBSD	>= 8.5p1, < 9.8p1	9.8p1

Attribute	Detail
CWE ID	CWE-364 (Signal Handler Race Condition)
Attack Vector	Network (AV:N)
CVSS Score	8.1 (High)
Privileges Required	None (PR:N)
User Interaction	None (UI:N)
Exploit Status	Proof of Concept (High Complexity)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1068Exploitation for Privilege Escalation

Privilege Escalation

CWE-364

Signal Handler Race Condition

The software handles a signal in a way that causes the application to enter an inconsistent state, specifically by invoking functions that are not async-signal-safe.

Known Exploits & Detection

QualysOriginal Advisory and Technical Deep Dive

GitHubProof of Concept code (race condition verification)

NucleiDetection Template Available

Vulnerability Timeline

Original bug CVE-2006-5051 fixed

2006-09-28

Vulnerability reintroduced in OpenSSH 8.5p1

2020-10-01

Qualys discloses regreSSHion (CVE-2024-6387)

2024-07-01

OpenSSH 9.8p1 released with fix

2024-07-01