CVE-2026-0966

Libssh: libssh: denial of service via zero-length input in ssh_get_hexa()

Published: 3/26/2026 Last updated: 5/19/2026 Reserved: 1/14/2026

A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.0	6.5	Medium	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Opam packages affected (1)

libssh

Products affected (13)

Product	Vendor	Version
Red Hat Enterprise Linux 10	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	R2.1 and prior
Red Hat Enterprise Linux 10	Red Hat	Windows 10 Version 1607 for 32-bit Systems
Red Hat Enterprise Linux 9	Red Hat	Windows 10 Version 1607 for x64-based Systems
Red Hat Enterprise Linux 9	Red Hat	Windows 10 Version 1703 for 32-bit Systems
Red Hat Enterprise Linux 8	Red Hat	Windows 10 Version 1803 for 32-bit Systems
Red Hat Enterprise Linux 6	Red Hat	Windows 10 Version 1709 for 32-bit Systems
Red Hat Enterprise Linux 6	Red Hat	n/a
Red Hat Enterprise Linux 7	Red Hat	Windows 10 Version 1709 for x64-based Systems
Red Hat Hardened Images	Red Hat	Windows 10 Version 1803 for x64-based Systems
Red Hat Hardened Images	Red Hat	Windows 10 Version 1703 for x64-based Systems
Red Hat OpenShift Container Platform 4	Red Hat	Windows 10 Version 1809 for 32-bit Systems

References (12)

Credits (2)

Red Hat would like to thank Jakub Jelen (libssh), Jun Xu, Kang Yang, and Yunhang Zhang for reporting this issue.
Red Hat would like to thank Jakub Jelen (libssh), Jun Xu, Kang Yang, and Yunhang Zhang for reporting this issue.