Skip to main content

libssh CVE-2025-4878

LOW
Use After Free (CWE-416)
2025-07-22 secalert@redhat.com
3.6
CVSS 3.1 · Vendor: redhat

Severity by source

Vendor (redhat) PRIMARY
3.6 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (redhat) · only source for this CVE.

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 16:30 vuln.today

DescriptionCVE.org

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

AnalysisAI

Uninitialized variable in libssh's privatekey_from_file() function can cause heap corruption or signing failures when a non-existent key file is specified, allowing local authenticated attackers to trigger memory corruption with potential for information disclosure. CVSS 3.6 reflects local attack vector and high complexity; exploitation requires authenticated access and specific file conditions.

Technical ContextAI

libssh is a C SSH client library that implements the SSH protocol for secure remote shell access. The vulnerability exists in the privatekey_from_file() function, which handles loading private key files for authentication. When a filename parameter references a non-existent file, the function fails to properly initialize a variable before use, creating a use-after-free (CWE-416) condition. This uninitialized memory can contain residual heap data, leading to either memory corruption when the uninitialized variable is dereferenced, or information disclosure if the uninitialized data is read. The flaw is particularly dangerous in multi-threaded environments or scenarios where heap state is predictable, as attackers may be able to influence what data resides in the uninitialized memory location.

Affected ProductsAI

libssh is affected in versions prior to the patches identified in commits 697650caa97eaf7623924c75f9fcfec6dd423cd1 and b35ee876adc92a208d47194772e99f9c71e0bedb. No specific version ranges are provided in the available data; however, the upstream commits represent the fixes. CPE identifiers for libssh should be checked against the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-4878 and the libssh advisory at https://www.libssh.org/security/advisories/CVE-2025-4878.txt for precise affected version ranges and distribution-specific patched versions.

RemediationAI

Apply the upstream fix by upgrading libssh to a version containing commit 697650caa97eaf7623924c75f9fcfec6dd423cd1 or b35ee876adc92a208d47194772e99f9c71e0bedb, or use the next stable release after these patches are integrated. For distribution packages, follow https://access.redhat.com/security/cve/CVE-2025-4878 for Red Hat/CentOS updates or equivalent vendor advisories for other distributions. If immediate patching is not possible, mitigate by ensuring that applications using libssh validate filenames before passing them to privatekey_from_file() and do not accept untrusted filename inputs from local users; however, this workaround relies on application-level validation and does not address the underlying library flaw. Additionally, restrict local access to systems running vulnerable libssh instances and apply the principle of least privilege to processes using libssh authentication.

Share

CVE-2025-4878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy