A use-after-free (UAF) yielding double free in OpenSSH that’s hittable pre-authentication. The bug mainly comes down to the compat_kex_proposal function for doing key exchange, and its support for older clients that set the SSH_OLD_DHGEX flag. In that case, it would free() the kex_algorithms field from theoptions object, but also return that same pointer. Later on, kex_algorithmsis passed into the ASSEMBLE macro to assemble a list of algorithms, which will again free it, causing double free.

It’s hard to imagine how this code was supposed to work at all as it seems the only condition for triggering it is connecting with an older client. Though this is pre-auth, it would be difficult to exploit this vuln remotely. OpenSSH does have sandboxing in place, and you’d have to find a good heap reallocation gadget that’s accessible from pre-auth, which is probably uncommon. However, since the process you’d be targeting is a daemon spun up for that connection, you could keep trying until you got it to work without crashing the main ssh daemon.