CVE-2025-5318

Libssh: out-of-bounds read in sftp_handle()

Published: 6/24/2025 Last updated: 12/10/2025 Reserved: 5/29/2025

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.4	Medium	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Opam packages affected (1)

libssh

Products affected (36)

Product	Vendor	Version
		< 3.5.6
Red Hat Enterprise Linux 10	Red Hat	unspecified
Red Hat Enterprise Linux 10	Red Hat	< V6.4
Red Hat Enterprise Linux 8	Red Hat	WD-RUNTIME 7.50
Red Hat Enterprise Linux 8	Red Hat	14
Red Hat Enterprise Linux 8.2 Advanced Update Support	Red Hat	release-20170803-20170803T064301Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	n/a
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	Red Hat	unspecified
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	Red Hat	< V6.4
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	Red Hat	Android 13.0, 14.0
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	Red Hat	n/a
Red Hat Enterprise Linux 8.8 Telecommunications Update Service	Red Hat	n/a
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	Red Hat	unspecified
Red Hat Enterprise Linux 9	Red Hat	< V6.4
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	All versions up to CUDA Toolkit 12.8
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	Red Hat	< V6.4
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	Red Hat	10 Version 1803 for 32-bit Systems
Red Hat Enterprise Linux 9.4 Extended Update Support	Red Hat	10 Version 1803 for x64-based Systems
Red Hat AI Inference Server 3.2	Red Hat	n/a
Red Hat AI Inference Server 3.2	Red Hat	10 Version 1809 for x64-based Systems
Red Hat AI Inference Server 3.2	Red Hat	4.0.0
Red Hat OpenShift Container Platform 4.17	Red Hat	<= None
Red Hat OpenShift Container Platform 4.18	Red Hat	10 Version 1809 for 32-bit Systems
Red Hat OpenShift Container Platform 4.19	Red Hat	All versions < V8.80
Red Hat OpenShift Container Platform 4.20	Red Hat	< V6.4
Red Hat OpenShift Container Platform 4.12	Red Hat	<= 6.5.14.0
Red Hat OpenShift Container Platform 4.13	Red Hat	< V6.4
Red Hat OpenShift Container Platform 4.14	Red Hat	10 Version 1803 for ARM64-based Systems
Red Hat OpenShift distributed tracing 3.7.0	Red Hat	10 Version 1809 for ARM64-based Systems
Red Hat OpenShift distributed tracing 3.7.0	Red Hat	3.0.0
Red Hat OpenShift distributed tracing 3.7.0	Red Hat	< V6.4
Red Hat OpenShift distributed tracing 3.7.0	Red Hat	10 Version 1709 for 32-bit Systems
Red Hat OpenShift distributed tracing 3.7.0	Red Hat	All versions < V8.80
Red Hat OpenShift distributed tracing 3.7.0	Red Hat	n/a

References (26)

Credits (1)

Red Hat would like to thank Ronald Crane for reporting this issue.