CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-0965 – Libssh: libssh: denial of service via improper configuration file handling
https://notcve.org/view.php?id=CVE-2026-0965
26 Mar 2026 — A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations. Se encontró una falla en libssh donde puede intentar abrir archivos arbitrarios durante el anális... • https://access.redhat.com/security/cve/CVE-2026-0965 • CWE-73: External Control of File Name or Path •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-0967 – Libssh: libssh: denial of service via inefficient regular expression processing
https://notcve.org/view.php?id=CVE-2026-0967
26 Mar 2026 — A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client. Se encontró una vulnerabilidad en libssh. Un atacante remoto, al controlar los archivos de configuración del cliente o los archivos known_hosts, podría cre... • https://access.redhat.com/security/cve/CVE-2026-0967 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3731 – libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds
https://notcve.org/view.php?id=CVE-2026-3731
08 Mar 2026 — A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. • https://gitlab.com/libssh/libssh-mirror/-/commit/855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5372 – Libssh: incorrect return code handling in ssh_kdf() in libssh
https://notcve.org/view.php?id=CVE-2025-5372
04 Jul 2025 — A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, in... • https://access.redhat.com/security/cve/CVE-2025-5372 • CWE-682: Incorrect Calculation •
CVSS: 9.8EPSS: 52%CPEs: 79EXPL: 5CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
18 Dec 2023 — The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phas... • https://packetstorm.news/files/id/176280 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3603 – Processing sftp server read may cause null dereference
https://notcve.org/view.php?id=CVE-2023-3603
21 Jul 2023 — A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security rel... • https://access.redhat.com/security/cve/CVE-2023-3603 • CWE-476: NULL Pointer Dereference •
CVSS: 9.3EPSS: 1%CPEs: 11EXPL: 0CVE-2019-14889 – libssh: unsanitized location in scp could lead to unwanted command execution
https://notcve.org/view.php?id=CVE-2019-14889
10 Dec 2019 — A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. Se detectó un fallo con la función ssh_scp_new() de la AP... • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 2%CPEs: 8EXPL: 0CVE-2015-3146 – Ubuntu Security Notice USN-2912-1
https://notcve.org/view.php?id=CVE-2015-3146
25 Feb 2016 — The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet. Los manejadores de paquete (1) SSH_MSG_NEWKEYS y (2) SSH_MSG_KEXDH_REPLY en package_cb.c en libssh en versiones anteriores a 0.6.5 no valida correctamente el estado, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161802.html •
CVSS: 5.9EPSS: 3%CPEs: 9EXPL: 0CVE-2016-0739 – libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length
https://notcve.org/view.php?id=CVE-2016-0739
24 Feb 2016 — libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug." libssh en versiones anteriores a 0.7.3 trunca de manera incorrecta secretos efímeros generados para los métodos de intercambio de clave (1) diffie-hellman-group1 y (2) diffie-hellman-group14 a 1... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178058.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.7EPSS: 0%CPEs: 12EXPL: 0CVE-2014-0017 – Gentoo Linux Security Advisory 201408-03
https://notcve.org/view.php?id=CVE-2014-0017
12 Mar 2014 — The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision. La función RAND_bytes en libssh anterior a 0.6.3, cuando la creación de procesos (“forking”) está habilitada, no restablece debidamente el estado del generador de números pseudo-aleatorios OpenSSL (PRNG... • http://lists.opensuse.org/opensuse-updates/2014-03/msg00036.html • CWE-310: Cryptographic Issues •