CVE-2025-26465 & CVE-2025-26466

[KrisBoeckx]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

Please explain how CVE-2025-26465 & CVE-2025-26466 impacts or does not impacts current version op Win32-OpenSSH.

See https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466 for more information.

Expected behavior

being patched of not vulnerable

Actual behavior

we don't know

Error details

Environment data

not relevant

Version

v9.8.1.0p1-Preview

Visuals

No response

[mveck]

Please Report this following the security policy, I am afraid that issues is not the correct location and is not monitored too well.

With kind regards,
Menno

[KrisBoeckx]

Why is this not taken care by the team ? There are OpenSSH CVE's.
This seems like they don't care and won't fix the issue. this makes this software highly untrustable.

I don't know how to post this following the security policy.

[mveck]

Hi Microsoft is using a form. They are not monitoring the GitHub for security. I think I am going to use that. With respect to these vulnerabilities, they might not be applicable to all uses. P.s. I don't work for that company. With kind regards, Menno van Eck Op di 18 mrt 2025, 10:12 schreef KrisBoeckx ***@***.***>:

…

Why is this not taken care by the team ? There are OpenSSH CVE's. This seems like they don't care and won't fix the issue. this makes this software *highly untrustable.* I don't know how to post this following the security policy. — Reply to this email directly, view it on GitHub <#2331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIP3AVL5HD76NPHZR7KXY3D2U7PRBAVCNFSM6AAAAABXX5DVB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZSGIZTKNJYGQ> . You are receiving this because you commented.Message ID: ***@***.***> [image: KrisBoeckx]*KrisBoeckx* left a comment (PowerShell/Win32-OpenSSH#2331) <#2331 (comment)> Why is this not taken care by the team ? There are OpenSSH CVE's. This seems like they don't care and won't fix the issue. this makes this software *highly untrustable.* I don't know how to post this following the security policy. — Reply to this email directly, view it on GitHub <#2331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIP3AVL5HD76NPHZR7KXY3D2U7PRBAVCNFSM6AAAAABXX5DVB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZSGIZTKNJYGQ> . You are receiving this because you commented.Message ID: ***@***.***>

[KrisBoeckx]

It is just strange that there is no follow up on vulnerabilities at all.

[StevenBucher98]

We have been very aware of these CVEs since their discovery and have been working to merge them into our project, expect a GitHub release mid April containing the changes. Thank you for your patience.

[mveck]

Thanks Steven, Agree to close with this estimation. Menno. Op di 18 mrt 2025, 16:08 schreef Steven Bucher ***@***.***>:

…

We have been very aware of these CVEs since their discovery and have been working to merge them into our project, expect a GitHub release mid April containing the changes. Thank you for your patience. — Reply to this email directly, view it on GitHub <#2331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIP3AVOMWIOP3VT5S2DCORL2VAZHPAVCNFSM6AAAAABXX5DVB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZTGYYDCNRSGU> . You are receiving this because you commented.Message ID: ***@***.***> [image: StevenBucher98]*StevenBucher98* left a comment (PowerShell/Win32-OpenSSH#2331) <#2331 (comment)> We have been very aware of these CVEs since their discovery and have been working to merge them into our project, expect a GitHub release mid April containing the changes. Thank you for your patience. — Reply to this email directly, view it on GitHub <#2331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIP3AVOMWIOP3VT5S2DCORL2VAZHPAVCNFSM6AAAAABXX5DVB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZTGYYDCNRSGU> . You are receiving this because you commented.Message ID: ***@***.***>

[KrisBoeckx]

Ok, thanks for the info