regreSSHion: The Zombie Bug That Just Won't Die
Vulnerability ID: CVE-2025-67419
CVSS Score: 8.1
Published: 2026-01-05
A signal handler race condition in OpenSSH's sshd allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This is a regression of CVE-2006-5051, proving that history doesn't just repeat itself—it recompiles.
TL;DR
OpenSSH server (sshd) contains a critical race condition. By manipulating the LoginGraceTime timeout, an attacker can interrupt the server's execution flow in a way that corrupts the heap, leading to unauthenticated remote code execution as root. If you are running OpenSSH versions 8.5p1 to 9.7p1 on Linux, patch immediately.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-364 (Signal Handler Race Condition)
- Attack Vector: Network (AV:N)
- CVSS Score: 8.1 (High)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Exploit Status: Proof of Concept (High Complexity)
Affected Systems
- Linux (glibc based)
- Debian
- Ubuntu
- Fedora
- Red Hat Enterprise Linux
-
OpenSSH: >= 8.5p1, < 9.8p1 (Fixed in:
9.8p1)
Code Analysis
Commit: 4392437
Remove syslog calls from signal handler
- syslog(LOG_CRIT, ...)
+ sig_term_flag = 1;
Exploit Details
- Qualys: Original Advisory and Technical Deep Dive
- GitHub: Proof of Concept code (race condition verification)
Mitigation Strategies
- Update OpenSSH to version 9.8p1 or later.
- Set 'LoginGraceTime 0' in sshd_config (Temporary workaround, creates DoS risk).
- Restrict SSH access to trusted networks using firewalls/VPNs.
Remediation Steps:
- Identify vulnerable hosts running OpenSSH versions 8.5p1 < 9.8p1.
- Apply vendor patches via package managers (apt, yum, dnf).
- Verify the version with
ssh -V. - Restart the sshd service.
References
Read the full report for CVE-2025-67419 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)