Two severe vulnerabilities (CVE-2025-46807 and CVE-2025-46806) in the protocol multiplexer SSLH allow remote attackers to crash services via resource exhaustion and memory misalignment issues.
Patched in version 2.2.4, these flaws affect systems using sslh-select or sslh-ev I/O models, particularly those handling UDP traffic.
Below, we break down the technical details, risks, and mitigation strategies.
File Descriptor Exhaustion Triggers Segmentation Fault
The sslh-select and sslh-ev Implementations fail to handle UDP session timeouts properly, allowing attackers to exhaust the default 1,024 file descriptors.
When the limit is reached, a NULL pointer dereference in the new_cnx A variable triggers a segmentation fault, crashing the service.
Attack Mechanics:
- UDP sessions remain open indefinitely without traffic, enabling resource starvation.
- Sending 29+ bytes of
0x08to OpenVPN-probed UDP ports reproduces the crash. - Compounding this, the
udp_max_connectionssetting also triggers the bug.
Fix: Commit ff8206f7c In v2.2.4 resolves the segmentation fault but leaves UDP sockets lingering until timeout.
2. Misaligned Memory Access in OpenVPN Probe
The is_openvpn_protocol() function dereferences unaligned uint32_t pointers in UDP payloads, causing SIGBUS errors on strict-alignment architectures like ARM. On x86_64, this results in undefined behavior detectable via -fsanitize=alignment.
Vulnerable Code Snippet:
cif (ntohl(*(uint32_t*)(p + OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_128))) <= 5u)
This directly accesses a 4-byte integer at offset 25 in the network buffer, ignoring alignment requirements.
Fix: Upstream replaced pointer dereferencing with memcpy() to stack variables in commit 204305a88fb3.
3. Mitigation and Risk Analysis
| Factor | CVE-2025-46807 | CVE-2025-46806 |
|---|---|---|
| CVSS Score | 8.7 (High) | 6.9 (Medium) |
| Impact | Remote DoS via crash | Architecture-dependent DoS |
| Attack Vector | Network (UDP) | Network (UDP) |
| Complexity | Low (no authentication required) | Low (single malformed packet) |
| Privileges Required | None | None |
Recommendations:
- Upgrade to sslh v2.2.4 immediately.
- For UDP-heavy deployments, enforce system-wide file descriptor limits via
cgroupsorulimi. - Monitor for false positives in protocol detection, as probes like
is_tinc_protocol()rely on minimal heuristics.
While SSLH’s default hardening and privilege separation limit broader exploitation, these vulnerabilities underscore risks in protocol multiplexers processing untrusted data.
Administrators should prioritize patching and consider OS-level resource constraints to mitigate advanced DoS attacks.
The SUSE team confirms SSLH remains viable for production use post-patch, though vigilance against edge-case probe failures is advised
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Patched in version 2.2.4, these flaws affect systems using sslh-select or sslh-ev I/O models, particularly those handling UDP traffic.){kind=link}