Subject: [ASA-202506-9] sslh: denial of service

Arch Linux Security Advisory ASA-202506-9
=========================================

Severity: Medium
Date    : 2025-06-21
CVE-ID  : CVE-2025-46807
Package : sslh
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2902

Summary
=======

The package sslh before version 2.2.4-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.2.4-1.

# pacman -Syu "sslh>=2.2.4-1"

The problem has been fixed upstream in version 2.2.4.

Workaround
==========

None.

Description
===========

A Allocation of Resources Without Limits or Throttling vulnerability in
sslh allows attackers to easily exhaust the file descriptors in sslh
and deny legitimate users service.

Impact
======

A remote attacker could exhaust file descriptors by opening multiple
incomplete connections, leading to denial of service.

References
==========

https://security.opensuse.org/2025/06/13/sslh-denial-of-service-vulnerabilities.html#issue-segfault
https://github.com/yrutschle/sslh/commit/ff8206f7c8a47f901b78a1b78db5a4c788f6aa6f
https://github.com/yrutschle/sslh/releases/tag/v2.2.4
https://security.archlinux.org/CVE-2025-46807