2415997 – (CVE-2025-58181) CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication

Bug 2415997 (CVE-2025-58181) - CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication

Summary: CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Se...

Keywords:
Status:	NEW
Alias:	CVE-2025-58181
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2424424 2424425 2424426 2424423
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-19 21:01 UTC by OSIDB Bzimport
Modified:	2026-01-21 10:55 UTC (History)
CC List:	86 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-19 21:01:19 UTC

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Note You need to log in before you can comment on or make changes to this bug.

aazores
alcohan
alebedev
amctagga
anjoseph
ansmith
aoconnor
bdettelb
bniver
carogers
cmah
crizzo
dhanak
doconnor
drosa
dsimansk
dymurray
eaguilar
ebaron
eglynn
erezende
fdeutsch
flucifre
gmeno
gparvin
groman
haoli
hkataria
jaharrin
jajackso
jbalunas
jburrell
jcammara
jeder
jjoyce
jkoehler
jmatthew
jmitchel
jneedle
jolong
jprabhak
jschluet
kegrant
kingland
koliveir
kshier
kverlaen
lball
lhh
lphiri
mabashia
manissin
matzew
mbenjamin
mburns
mgarciac
mhackett
mnovotny
ngough
oramraz
owatkins
pahickey
pbohmill
pbraun
peholase
pjindal
rhaigner
rjohnson
sausingh
sdawley
shvarugh
simaishi
smcdonal
smullick
sostapov
stcannon
stirabos
teagle
tfister
thason
thavo
vereddy
veshanka
whayutin
wtam
yguenane