Home

Description

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

PUBLISHED Reserved 2026-01-14 | Published 2026-03-26 | Updated 2026-05-19 | Assigner redhat




LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Problem types

NULL Pointer Dereference

Product status

Default status
affected

0:0.12.0-2.el10 (rpm) before *
unaffected

Default status
affected

0:0.10.4-18.el9 (rpm) before *
unaffected

Default status
affected

0:0.10.4-18.el9 (rpm) before *
unaffected

Default status
unaffected

Default status
unaffected

Default status
affected

Default status
unaffected

Default status
affected

Timeline

2026-02-04:Reported to Red Hat.
2026-02-10:Made public.

Credits

Red Hat would like to thank Jakub Jelen (libssh) and nevv (CTyun Red-Shield Security Lab) for reporting this issue.

References

access.redhat.com/errata/RHSA-2026:18160 (RHSA-2026:18160) vendor-advisory

access.redhat.com/errata/RHSA-2026:18683 (RHSA-2026:18683) vendor-advisory

access.redhat.com/security/cve/CVE-2026-0968 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2436982 (RHBZ#2436982) issue-tracking

www.libssh.org/...ibssh-0-12-0-and-0-11-4-security-releases/

cve.org (CVE-2026-0968)

nvd.nist.gov (CVE-2026-0968)

Download JSON