A flaw was found in libssh. The API function ssh_get_hexa() is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the servers logging verbosity is set to SSH_LOG_PACKET (3) or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
Weakness
The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libssh | Libssh | * | 0.11.4 (excluding) |
| Hardened_images | Redhat | - (including) | - (including) |
| Openshift_container_platform | Redhat | 4.0 (including) | 4.0 (including) |
| Enterprise_linux | Redhat | 8.0 (including) | 8.0 (including) |
| Enterprise_linux | Redhat | 9.0 (including) | 9.0 (including) |
| Enterprise_linux | Redhat | 10.0 (including) | 10.0 (including) |
| Red Hat Enterprise Linux 10 | RedHat | libssh-0:0.12.0-2.el10 | * |
| Red Hat Enterprise Linux 9 | RedHat | libssh-0:0.10.4-18.el9 | * |
| Red Hat Enterprise Linux 9 | RedHat | libssh-0:0.10.4-18.el9 | * |
| Red Hat Hardened Images | RedHat | libssh-main-0.12.0-1.1.hum1 | * |
| Libssh | Ubuntu | devel | * |
| Libssh | Ubuntu | esm-infra-legacy/xenial | * |
| Libssh | Ubuntu | esm-infra/bionic | * |
| Libssh | Ubuntu | esm-infra/focal | * |
| Libssh | Ubuntu | esm-infra/xenial | * |
| Libssh | Ubuntu | jammy | * |
| Libssh | Ubuntu | noble | * |
| Libssh | Ubuntu | questing | * |
| Libssh | Ubuntu | upstream | * |
Potential Mitigations
References
- https://access.redhat.com/errata/RHSA-2026:18160
- https://access.redhat.com/errata/RHSA-2026:18683
- https://access.redhat.com/errata/RHSA-2026:7067
- https://access.redhat.com/security/cve/CVE-2026-0966
- https://bugzilla.redhat.com/show_bug.cgi?id=2433121
- https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/