DescriptionOpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1059393

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)bullseye (security), bullseye1:8.4p1-5+deb11u3vulnerable
bookworm (security)1:9.2p1-2+deb12u3vulnerable
sid, trixie1:9.7p1-7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and
does not intent to address it in OpenSSH. To todays knowledge (2024-03-13)
it has not been demonstrated that the issue is exploitable in any real
software configuration.

Search for package or bug name: Reporting problems