CVE-2025-4878 | THREATINT

Description

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

PUBLISHED Reserved 2025-05-16 | Published 2025-07-22 | Updated 2026-05-19 | Assigner redhat

LOW: 3.6CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

Product status

Default status

unaffected

Any version before 0.11.2

affected

Default status

affected

0:0.10.4-18.el9 (rpm) before *

unaffected

Default status

affected

0:0.10.4-18.el9 (rpm) before *

unaffected

Default status

affected

Default status

unknown

Default status

unknown

Default status

affected

Default status

affected

Timeline

2025-07-03:	Reported to Red Hat.
2025-06-24:	Made public.

References

access.redhat.com/errata/RHSA-2026:18683 (RHSA-2026:18683) vendor-advisory

access.redhat.com/security/cve/CVE-2025-4878 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2376184 (RHBZ#2376184) issue-tracking

git.libssh.org/...d=697650caa97eaf7623924c75f9fcfec6dd423cd1

git.libssh.org/...d=b35ee876adc92a208d47194772e99f9c71e0bedb

www.libssh.org/security/advisories/CVE-2025-4878.txt

cve.org (CVE-2025-4878)

nvd.nist.gov (CVE-2025-4878)

Download JSON

help @ threatint.eu