PuTTY vulnerability rsakex-double-free

This is a mirror. Follow this link to find the primary PuTTY web site.

summary: Server can provoke a double free in RSA KEX code
class: vulnerability: This is a security vulnerability.
absent-in: 7a49ff9ac1f65944434176251b0bfea9fcc44636
present-in: 6d7a6d47e68e8368216f3ab1a0d071db32d20a11 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80 0.81 0.82 0.83
fixed-in: ba3ed53e0bf6682f89940bc2c3e83da6b1524024 (0.84)

PuTTY's implementation of the little-used RSA kex exchange method (RFC 4432) has a double-free bug: in some situations it frees an RSA key by calling the special-purpose function ssh_rsakex_freekey and then also calling the normal free function on the outermost struct, which is wrong, because ssh_rsakex_freekey already freed the whole struct.

This bug does not happen if RSA kex completes normally. The double-free only occurs on an error handling path, triggered if the key sent by the server is unexpectedly short.

This bug allows a server to provoke the double-free on purpose, because it can present only RSA kex as an option in its KEXINIT, and then deliberately send a short key. Since it happens before host key verification, a MITM can do the same. Therefore, this bug is listed as a vulnerability, since it's a remote-triggerable crash. However, we don't know of any way in which the double-free can be exploited to achieve a controllable effect.

Thanks to Ben Smyth for the report.

Apparently this was introduced during work in 2019 to make a test SSH server out of the PuTTY code (including an option to pass in a fixed key pair for RSA kex, complicating the question of whether to free it after use). Confusion was increased by the historical oddity that PuTTY's RSA keys were originally held in a struct that was not freed along with its contents.

If you want to comment on this web site, see the Feedback page.

Audit trail for this vulnerability.

(last revision of this bug record was at 2026-05-22 11:23:45 +0100)