Two sslh Flaws Disclosed: Remote DoS Attacks Possible via Protocol Multiplexer

In June 2025, the SUSE Security Team disclosed critical vulnerabilities in sslh, a lightweight protocol multiplexer used to serve multiple services—such as SSH and HTTPS—on the same port. Though designed for efficiency and firewall evasion, SUSE’s audit revealed that the tool’s C-based implementation harbored memory handling flaws that could lead to remote denial-of-service (DoS) attacks.

sslh allows multiple protocols—such as SSH, HTTPS, OpenVPN, and others—to share a single port, often TCP 443. This is particularly useful in restrictive environments that only allow outbound HTTPS. By examining the initial bytes of a connection, sslh determines the correct service and forwards the traffic accordingly.

One of the most severe findings, tracked as CVE-2025-46807, was a bug in the sslh-select and sslh-ev variants, where high volumes of incoming UDP sessions lead to file descriptor exhaustion. When this threshold (1024 by default) is reached, the program attempts to dereference a null pointer, leading to a segmentation fault and remote crash.

“Even worse, when the file descriptor limit is encountered, sslh crashes with a segmentation fault, as it attempts to dereference new_cnx, which is a NULL pointer in this case,” the report explained.

This means a remote attacker could trivially knock sslh offline by spamming UDP packets, preventing legitimate users from connecting.

The second vulnerability, tracked as CVE-2025-46806, stemmed from unsafe memory access in the OpenVPN probe. The function directly dereferenced unaligned uint32_t* pointers on heap-allocated network buffers—behavior that causes SIGBUS errors on ARM and other strict alignment architectures.

“This dereferences a uint32_t* that points to memory located 25 bytes after the start of the heap allocated network buffer… On CPU architectures like ARM this will cause a SIGBUS error, and thus represents a remote DoS attack vector,” the report wrote.

On x86_64, this results in undefined behavior when compiled with sanitizers, making it a silent and dangerous flaw.

Although the sslh-fork model was found to be more resilient to resource exhaustion due to its timeout mechanism, the report warned that spawning thousands of processes could still strain a system. SUSE recommends users configure system-level protections such as Linux cgroups or ulimit constraints.

“Overall we believe sslh is in good shape. There is little attack surface, and hardenings are in place by default,” the report concludes.

Both vulnerabilities have been fixed in sslh v2.2.4, with commits ff8206f7c and 204305a88fb3 addressing the segmentation fault and misaligned access, respectively.

Related Posts:

• CVE-2024-12254: CPython Flaw Could Lead to Memory Exhaustion in asyncio Applications
• CVE-2025-46728: cpp-httplib Vulnerability Exposes Servers to Denial of Service
• Apache MINA SSHD unsafe deserialization vulnerability