CVE-2026-0966

EUVD-2026-16330

26.03.2026, 21:17

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght
input is provided to this function. This function is used internally
in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),
which is vulnerable to the same input (length is provided by the
calling application).

The function is also used internally in the gssapi code for logging
the OIDs received by the server during GSSAPI authentication. This
could be triggered remotely, when the server allows GSSAPI authentication
and logging verbosity is set at least to SSH_LOG_PACKET (3). This
could cause self-DoS of the per-connection daemon process.

Buffer Underflow

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Affected Products (NVD)

Vendor	Product	Version
libssh	libssh	𝑥 < 0.11.4
redhat	hardened_images	-
redhat	openshift_container_platform	4.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
redhat	enterprise_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libssh

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	postponed
bullseye (security)	vulnerable
forky	0.12.0-3 fixed
sid	0.12.0-3 fixed
trixie	no-dsa

openSUSE / SLES Releases

openSUSE Product

Release

libssh-config

suse enterprise desktop 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise sap 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise server 15 SP4	0.9.8-150400.3.17.1 fixed
suse enterprise server 15 SP7	0.9.8-150600.11.9.1 fixed

libssh-devel

suse enterprise desktop 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise sap 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise server 15 SP4	0.9.8-150400.3.17.1 fixed
suse enterprise server 15 SP7	0.9.8-150600.11.9.1 fixed

libssh4

suse enterprise desktop 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise sap 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise server 15 SP4	0.9.8-150400.3.17.1 fixed
suse enterprise server 15 SP7	0.9.8-150600.11.9.1 fixed

libssh4-32bit

suse enterprise desktop 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise sap 15 SP7	0.9.8-150600.11.9.1 fixed
suse enterprise server 15 SP4	0.9.8-150400.3.17.1 fixed
suse enterprise server 15 SP7	0.9.8-150600.11.9.1 fixed

Common Weakness Enumeration

CWE-124 - Buffer Underwrite ('Buffer Underflow')
The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

References

https://access.redhat.com/errata/RHSA-2026:7067

https://access.redhat.com/security/cve/CVE-2026-0966

https://bugzilla.redhat.com/show_bug.cgi?id=2433121

https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/