BURSTTwo critical vulnerabilities in sslh, a popular protocol demultiplexer that allows multiple services to share the same network port.
The flaws tracked as CVE-2025-46807 and CVE-2025-46806 could be exploited remotely to trigger denial-of-service (DoS) attacks.
The vulnerabilities affect sslh versions prior to v2.2.4, with fixes now available in the latest release.
File Descriptor Exhaustion DoS Flaw (CVE-2025-46807)
The first vulnerability involves file descriptor exhaustion that leads to a segmentation fault in sslh-select and sslh-ev implementations.
According to the SUSE security team, the sslh’s UDP connection handling contains a critical flaw where connection timeouts are only checked during network activity, allowing attackers to exhaust the 1024 file descriptor limit.
“When the file descriptor limit is encountered, sslh crashes with a segmentation fault, as it attempts to dereference new_cnx, which is a NULL pointer in this case,” the report explains.
This creates a straightforward remote DoS vector that completely disrupts service availability.
The vulnerability can be triggered by creating numerous UDP connections where each sends only a single byte of data. Researchers successfully reproduced this issue by testing the OpenVPN probe configured for UDP, sending only a 0x08 byte per connection.
The fix, implemented in commit ff8206f7c, addresses the segmentation fault, but researchers note that “UDP sockets potentially still stay open for a longer time until further traffic is processed by sslh”.
Misaligned Memory Access in OpenVPN Protocol (CVE-2025-46806)
The second vulnerability stems from misaligned memory accesses in the OpenVPN protocol probe. The issue occurs in the UDP code path of the is_openvpn_protocol() function, where certain operations attempt to access unaligned memory:
This code tries to dereference a uint32_t pointer pointing to memory located 25 bytes after the start of the heap-allocated network buffer.
On architectures like ARM, this causes a SIGBUS error, resulting in a crash and service disruption.
Researchers reproduced this by sending a sequence of at least 29 0x08 bytes, triggering runtime alignment errors.
The fix in commit 204305a88fb3 implements a safer approach using memcpy() to copy integer data into a local stack variable instead of directly dereferencing pointers into raw network data.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-46807 | sslh versions prior to 2.2.4 | Denial of service | – sslh configured for UDP protocols- Attacker can trigger single-byte UDP packets | 7.5 (High) |
| CVE-2025-46806 | sslh versions prior to 2.2.4 | Denial of service | – OpenVPN probe enabled- Attacker sends 29+ 0x08-byte UDP packets | 7.5 (High) |
Mitigation Measures
These vulnerabilities primarily affect systems using sslh to multiplex services on shared ports, a common configuration for bypassing corporate firewall restrictions.
The sslh-fork implementation handles file descriptor exhaustion better than other variants but could still be vulnerable to excessive process creation attacks.
Administrators are advised to immediately upgrade to sslh v2.2.4, which contains fixes for both vulnerabilities.
For added protection against more sophisticated DoS attacks, the SUSE Security Team recommends “customizing their setup to enforce resource consumption limits on operating system level”.
“Overall we believe sslh is in good shape. There is little attack surface, and hardenings are in place by default. With the two remote DoS vectors fixed, it should be safe to use sslh in production,” concludes the security report.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Critical sslh Vulnerabilities Let Hackers Trigger Remote DoS Attacks appeared first on Cyber Security News.