CVE-2016-8858

Source
https://cve.org/CVERecord?id=CVE-2016-8858
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8858.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-8858
Downstream
Related
Published
2016-12-09T11:59:00.207Z
Modified
2026-07-08T12:05:05.092370Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The kexinputkexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:openbsd:openssh:7.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:openbsd:openssh:7.2:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "7.1"
                },
                {
                    "last_affected": "7.1"
                },
                {
                    "introduced": "7.2"
                },
                {
                    "last_affected": "7.2"
                }
            ],
            "vendor_product": "openbsd:openssh",
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/openssh/openssh-portable

Affected ranges

Type
GIT
Repo
https://github.com/openssh/openssh-portable
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:openbsd:openssh:6.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:openbsd:openssh:6.9:*:*:*:*:*:*:*",
        "cpe:2.3:a:openbsd:openssh:7.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:openbsd:openssh:7.3:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "6.8"
        },
        {
            "last_affected": "6.8"
        },
        {
            "introduced": "6.9"
        },
        {
            "last_affected": "6.9"
        },
        {
            "introduced": "7.0"
        },
        {
            "last_affected": "7.0"
        },
        {
            "introduced": "7.3"
        },
        {
            "last_affected": "7.3"
        }
    ],
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

6.*
6.8
6.9
7.*
7.0
7.3
Other
V_6_8_P1
V_6_9_P1
V_7_0_P1
V_7_1_P1
V_7_2_P1
V_7_3_P1

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "156902939790282373310700724171657588209",
                "316380331125517353126913904911828465574",
                "295105781540324081782822153413707735107",
                "244003011357174172644176527148363962509"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2016-8858-2d5da5dc",
        "target": {
            "file": "kex.c"
        }
    },
    {
        "source": "https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "235425802652287821391024408040613178504",
            "length": 1030.0
        },
        "deprecated": false,
        "id": "CVE-2016-8858-dfa55b22",
        "target": {
            "function": "kex_input_kexinit",
            "file": "kex.c"
        }
    }
]
vanir_signatures_modified
"2026-07-08T12:05:05Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8858.json"