libssh-0.10.4-18.el9
エラータID: AXSA:2026-882:01
libssh is a library which implements the SSH protocol. It can be used to implement client and server applications.
Security Fix(es):
* libssh: Double Free Vulnerability in libssh Key Export Functions (CVE-2025-5351)
* libssh: Use of uninitialized variable in privatekey_from_file() (CVE-2025-4878)
* libssh: Write beyond bounds in binary to base64 conversion functions (CVE-2025-4877)
* libssh: NULL Pointer Dereference in libssh KEX Session ID Calculation (CVE-2025-8114)
* libssh: Memory Exhaustion via Repeated Key Exchange in libssh (CVE-2025-8277)
* libssh: Buffer underflow in ssh_get_hexa() on invalid input (CVE-2026-0966)
* libssh: Improper sanitation of paths received from SCP servers (CVE-2026-0964)
* libssh: libssh: Denial of Service via improper configuration file handling (CVE-2026-0965)
* libssh: libssh: Denial of Service via inefficient regular expression processing (CVE-2026-0967)
* libssh: libssh: Denial of Service due to malformed SFTP message (CVE-2026-0968)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-4877
There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh.
CVE-2025-4878
A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.
CVE-2025-5351
A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.
CVE-2025-8114
A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.
CVE-2025-8277
A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.
CVE-2026-0964
A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.
CVE-2026-0965
A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.
CVE-2026-0966
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
CVE-2026-0967
A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.
CVE-2026-0968
A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.
Update packages.
There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh.
A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.
A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.
A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.
A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.
A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.
A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.
A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.
N/A
SRPMS
- libssh-0.10.4-18.el9.src.rpm
MD5: d37e3c938fb00465d382dcb3977efe56
SHA-256: 1ca1f4525fe6c0c6e94a0472864cda4d04fe80351e517989757a1118358aa55e
Size: 687.99 kB
Asianux Server 9 for x86_64
- libssh-0.10.4-18.el9.i686.rpm
MD5: 6af682c9e02b3affab0f3117f31fa715
SHA-256: 2960d90c0cd24ad7365d2c52f143e29b2723eaeb6b12fc710d1666ea73f49d95
Size: 228.87 kB - libssh-0.10.4-18.el9.x86_64.rpm
MD5: 3fa2c3ef94e8b7a79fca8f16d128d32c
SHA-256: 24aa5c101406abc9ce45c667ebf394da35e115d480887913624ce012712bafb0
Size: 213.13 kB - libssh-config-0.10.4-18.el9.noarch.rpm
MD5: 4c15f89c89c113a902de0a747793c29e
SHA-256: bc31c9d5aaa4c65d4e86326361dd6cc0dd023911dc078dc51e934f9c1265421e
Size: 7.97 kB - libssh-devel-0.10.4-18.el9.i686.rpm
MD5: 22b9468032fd7e8454c54da78db8ed71
SHA-256: 477f78b9ff068d631079d1942ad561b33b6570e5cca8a07aa086187506400e2d
Size: 37.56 kB - libssh-devel-0.10.4-18.el9.x86_64.rpm
MD5: 50ed32f2505197c8a8a213d086af374f
SHA-256: 2b8f8b2180a67457477f2d84e13483a5be1dc856132a3c14cbf8ccc051945805
Size: 37.55 kB