The kexinputkexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:openbsd:openssh:7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:openbsd:openssh:7.2:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.1"
},
{
"last_affected": "7.1"
},
{
"introduced": "7.2"
},
{
"last_affected": "7.2"
}
],
"vendor_product": "openbsd:openssh",
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:openbsd:openssh:6.8:*:*:*:*:*:*:*",
"cpe:2.3:a:openbsd:openssh:6.9:*:*:*:*:*:*:*",
"cpe:2.3:a:openbsd:openssh:7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:openbsd:openssh:7.3:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "6.8"
},
{
"last_affected": "6.8"
},
{
"introduced": "6.9"
},
{
"last_affected": "6.9"
},
{
"introduced": "7.0"
},
{
"last_affected": "7.0"
},
{
"introduced": "7.3"
},
{
"last_affected": "7.3"
}
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}[
{
"source": "https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"156902939790282373310700724171657588209",
"316380331125517353126913904911828465574",
"295105781540324081782822153413707735107",
"244003011357174172644176527148363962509"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2016-8858-2d5da5dc",
"target": {
"file": "kex.c"
}
},
{
"source": "https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "235425802652287821391024408040613178504",
"length": 1030.0
},
"deprecated": false,
"id": "CVE-2016-8858-dfa55b22",
"target": {
"function": "kex_input_kexinit",
"file": "kex.c"
}
}
]
"2026-07-08T12:05:05Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8858.json"