Critical sslh Vulnerabilities Allow Remote Denial-of-Service Attacks
Security researchers disclosed two critical vulnerabilities in sslh, a widely used protocol multiplexer that enables multiple services—such as SSH, HTTPS, and OpenVPN—to share a single network port.
These flaws, tracked as CVE-2025-46807 and CVE-2025-46806, could allow remote attackers to crash sslh or render it unavailable, resulting in a denial-of-service (DoS) for legitimate users.
| CVE ID | Vulnerability Title | Affected Versions | Description |
| CVE-2025-46807 | File Descriptor Exhaustion Triggers Segmentation Fault | sslh-select, sslh-ev (≤2.2.1) | Failure to close UDP session file descriptors allows remote attackers to exhaust available descriptors, causing a NULL pointer dereference and segmentation fault (DoS). |
| CVE-2025-46806 | Misaligned Memory Accesses in OpenVPN Protocol Probe | All variants (≤2.2.1) | Unsafe dereferencing of unaligned uint32_t pointers in OpenVPN probe allows remote attackers to trigger SIGBUS or undefined behavior, causing process crash (DoS). |
CVE-2025-46807: File Descriptor Exhaustion Triggers Segmentation Fault
The most severe vulnerability, CVE-2025-46807, affects the sslh-select and sslh-ev variants. In these modes, sslh tracks incoming UDP sessions by allocating a new file descriptor for each.
However, the software fails to properly close these descriptors if no further network activity occurs. An attacker can exploit this by creating a large number of UDP sessions—each sending only a single byte—until the default limit of 1024 file descriptors is reached.
Once this threshold is exceeded, sslh attempts to handle new connections but instead encounters a NULL pointer dereference, leading to a segmentation fault and a complete crash of the service.
This means a remote attacker can trivially knock sslh offline, preventing any legitimate connections.
The vulnerability is classified as a resource exhaustion issue (CWE-770) and carries a high severity rating, with a CVSS 4.0 base score of 8.7.
The sslh-fork variant is less susceptible, as it spawns a new process for each TCP connection and enforces a five-second timeout.
However, spawning thousands of processes can still strain system resources, so administrators are advised to implement system-level protections such as Linux cgroups or ulimit constraints.
CVE-2025-46806: Misaligned Memory Access in OpenVPN Probe
The second vulnerability, CVE-2025-46806, is rooted in unsafe memory handling within the OpenVPN protocol probe.
Specifically, sslh directly dereferences unaligned uint32_t pointers on heap-allocated network buffers.
On strict alignment architectures like ARM, this can cause a SIGBUS error, immediately crashing the process. On x86_64 systems, the behavior is undefined and can lead to subtle, hard-to-diagnose failures.
This flaw can be exploited remotely by sending a specially crafted UDP packet sequence, triggering the misaligned access and resulting in a denial-of-service condition.
The vulnerability is classified as a Use of Out-of-range Pointer Offset issue and affects all sslh versions prior to 2.2.4.
Both vulnerabilities have been addressed in sslh version 2.2.4. The segmentation fault in sslh-select and sslh-ev was fixed in commit ff8206f7c, while the misaligned memory access was resolved in commit 204305a88fb.
Users are strongly urged to upgrade to sslh v2.2.4 or later to mitigate these risks.
Security experts also recommend configuring system-level resource limits to further reduce the risk of DoS attacks, especially in high-exposure environments.
While sslh remains a valuable tool for multiplexing network services, these recent vulnerabilities underscore the importance of rigorous code audits and timely patching.
With the release of v2.2.4, sslh users can restore confidence in the tool’s resilience against remote denial-of-service threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
