Skip to main content

Tera Term TTSSH2 CVE-2026-58317

| EUVDEUVD-2026-45140 MEDIUM
Unsigned to Signed Conversion Error (CWE-196)
2026-07-17 jpcert GHSA-mmcg-pw3p-cwjh
5.1
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Attacker requires no privileges and exploits over network (AV:N, PR:N), but victim must initiate connection to malicious server (UI:R); partial C/I/A impacts reflect bounded OOB access rather than full compromise.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
CVSS changed
Jul 17, 2026 - 05:22 NVD
6.3 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
Jul 17, 2026 - 05:19 vuln.today

DescriptionCVE.org

Unsigned to Signed Conversion Error (CWE-196) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory regions may be transmitted to the server, and Tera Term may behave unexpected or terminate abnormally.

AnalysisAI

Out-of-bounds memory read and write in Tera Term's TTSSH2 SSH plugin exposes users who connect to attacker-controlled SSH servers to memory disclosure and potential client crashes. The root cause is an unsigned-to-signed integer conversion error (CWE-196) in the SSH connection handshake code, which can cause internal memory contents to be transmitted to the malicious server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker deploys malicious SSH server
Delivery
Social-engineer victim to connect via Tera Term
Exploit
TTSSH2 parses attacker-controlled SSH handshake data
Execution
Unsigned-to-signed conversion error triggers OOB read/write
Persist
Adjacent memory contents transmitted to attacker server
Impact
Client crashes or behaves abnormally

Vulnerability AssessmentAI

Exploitation The victim must actively initiate an SSH connection from Tera Term (with TTSSH2 plugin active) to an SSH server controlled by the attacker - CVSS UI:R confirms this required user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 base score of 6.3 (Medium) reflects a network-reachable flaw requiring no attacker privileges (PR:N, AV:N, AC:L) but mandating user interaction (UI:R), which is the primary real-world limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious SSH server and delivers its hostname or IP to a target via phishing, a compromised jump-host list, or a fraudulent IT support message. When the victim opens Tera Term and connects to the server, the TTSSH2 handshake parsing triggers the integer conversion error, causing it to read beyond the intended buffer and transmit a slice of heap or stack memory back to the attacker's server, potentially containing credentials, session keys, or other sensitive data resident in the process at connection time. …
Remediation The primary remediation is to upgrade Tera Term to the fixed version specified in the vendor advisory at https://teratermproject.github.io/SA/JVN65294474-en.html - no exact patched version number was included in the available input data, so users must consult that page directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy