Skip to main content

Red Hat Enterprise Linux 10 CVE-2026-0968

| EUVDEUVD-2026-16335 LOW
NULL Pointer Dereference (CWE-476)
2026-03-26 redhat GHSA-6w3m-r3qq-cr2h
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
qualitative
SUSE
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Red Hat
3.1 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Severity Changed
Apr 13, 2026 - 06:22 NVD
CRITICAL LOW
CVSS changed
Apr 13, 2026 - 06:22 NVD
9.8 (CRITICAL) 3.1 (LOW)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16335
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:06 nvd
CRITICAL 9.8

DescriptionCVE.org

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an SSH_FXP_NAME message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

AnalysisAI

Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability exists in libssh, a portable C library implementing the SSH protocol, specifically in the SFTP (SSH File Transfer Protocol) implementation. When a malicious SFTP server sends a specially crafted SSH_FXP_NAME message during file listing operations, the 'longname' field lacks proper null-termination validation. This results in a null pointer dereference (CWE-476), causing the application to read beyond allocated heap memory. The affected products span Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 (cpe:2.3:a:red_hat:red_hat_enterprise_linux_*), as well as Red Hat OpenShift Container Platform 4 (cpe:2.3:a:red_hat:red_hat_openshift_container_platform_4), indicating widespread integration of libssh in Red Hat's core infrastructure and container orchestration platform.

RemediationAI

Consult Red Hat's official security advisory at https://access.redhat.com/security/cve/CVE-2026-0968 for specific libssh package versions and patched updates for your Enterprise Linux or OpenShift version. Apply the vendor-released patch via package manager (yum, dnf, or equivalent) as soon as it becomes available for your supported OS version. As an interim mitigation, restrict SFTP client connections to trusted, verified SFTP servers and implement network segmentation to prevent end-user systems from connecting to untrusted remote systems. Organizations relying on libssh-based SFTP functionality in applications should prioritize patching of the underlying libssh library and test compatibility of patched versions in pre-production environments before widespread deployment.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

Ubuntu

Priority: Medium
libssh
Release Status Version
upstream needs-triage -
jammy released 0.9.6-2ubuntu0.22.04.6
noble released 0.10.6-2ubuntu0.3
questing released 0.11.2-1ubuntu0.2
bionic released 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm6
focal released 0.9.3-2ubuntu2.5+esm3
xenial released 0.6.3-4.3ubuntu0.6+esm4

Debian

Bug #1127693
libssh
Release Status Fixed Version Urgency
bullseye vulnerable 0.9.8-0+deb11u1 -
bullseye (security) vulnerable 0.9.8-0+deb11u2 -
bookworm vulnerable 0.10.6-0+deb12u2 -
bookworm (security) vulnerable 0.10.6-0+deb12u1 -
trixie vulnerable 0.11.2-1+deb13u1 -
forky vulnerable 0.11.3-1 -
sid fixed 0.12.0-3 -
(unstable) fixed 0.12.0-1 -

SUSE

Severity: Low
Product Status
Container private-registry/harbor-trivy-adapter:1.1.1-1.40 Container suse/manager/5.0/x86_64/server:latest Image SLES15-SP7-CHOST-BYOS-Aliyun Image SLES15-SP7-CHOST-BYOS-Azure Image SLES15-SP7-CHOST-BYOS-EC2 Image SLES15-SP7-CHOST-BYOS-GCE Image SLES15-SP7-CHOST-BYOS-GDC Image SLES15-SP7-CHOST-BYOS-SAP-CCloud Image SLES15-SP7-SAP-BYOS-EC2 Image SLES15-SP7-SAP-GCE-3P Image SLES15-SP7-SAP-Hardened-BYOS-EC2 Image pr_15_7 Affected
Container suse/ltss/sle12.5/sles12sp5:8.5.205 Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.59 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.80 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.85 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.73 Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sle-micro-rancher/5.2:latest Container suse/sle-micro/5.2/toolbox:14.2-7.11.242 Affected

Share

CVE-2026-0968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy