CVE-2025-67427
8.14.50%
regreSSHion: The Ghost of Vulnerabilities Past Haunts OpenSSH
Amit Schendel
Senior Security ResearcherJan 6, 2026·6 min read·3 visits
Weaponized
Executive Summary (TL;DR)
OpenSSH's sshd server has a race condition in its SIGALRM handler. If a client disconnects precisely when the LoginGraceTime expires, the signal handler calls non-async-signal-safe functions (syslog). This corrupts the glibc heap, leading to potential RCE as root. It affects versions 8.5p1 through 9.7p1.
A signal handler race condition in OpenSSH's server (sshd) allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This is a regression of a vulnerability originally fixed in 2006 (CVE-2006-5051).
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
4.50%
Top 15% most exploited
14,000,000
Estimated exposed hosts via Shodan
Affected Systems
Linux systems using glibcOpenSSH Server 8.5p1 through 9.7p1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenSSH OpenBSD | >= 8.5p1, < 9.8p1 | 9.8p1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-364 |
| Attack Vector | Network |
| CVSS v3.1 | 8.1 |
| Impact | Remote Code Execution (Root) |
| Exploit Status | High Complexity PoC |
| Architecture | x86 (glibc) |
MITRE ATT&CK Mapping
CWE-364
Signal Handler Race Condition
Signal Handler Race Condition
Known Exploits & Detection
Vulnerability Timeline
Original bug (CVE-2006-5051) fixed
2006-09-28
Regression introduced in OpenSSH 8.5p1
2020-10-01
CVE-2024-6387 Disclosed by Qualys
2024-07-01
OpenSSH 9.8p1 released
2024-07-01