Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker requires no privileges and exploits over network (AV:N, PR:N), but victim must initiate connection to malicious server (UI:R); partial C/I/A impacts reflect bounded OOB access rather than full compromise.
Primary rating from Vendor (jpcert).
CVSS VectorVendor: jpcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Unsigned to Signed Conversion Error (CWE-196) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory regions may be transmitted to the server, and Tera Term may behave unexpected or terminate abnormally.
AnalysisAI
Out-of-bounds memory read and write in Tera Term's TTSSH2 SSH plugin exposes users who connect to attacker-controlled SSH servers to memory disclosure and potential client crashes. The root cause is an unsigned-to-signed integer conversion error (CWE-196) in the SSH connection handshake code, which can cause internal memory contents to be transmitted to the malicious server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must actively initiate an SSH connection from Tera Term (with TTSSH2 plugin active) to an SSH server controlled by the attacker - CVSS UI:R confirms this required user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 base score of 6.3 (Medium) reflects a network-reachable flaw requiring no attacker privileges (PR:N, AV:N, AC:L) but mandating user interaction (UI:R), which is the primary real-world limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious SSH server and delivers its hostname or IP to a target via phishing, a compromised jump-host list, or a fraudulent IT support message. When the victim opens Tera Term and connects to the server, the TTSSH2 handshake parsing triggers the integer conversion error, causing it to read beyond the intended buffer and transmit a slice of heap or stack memory back to the attacker's server, potentially containing credentials, session keys, or other sensitive data resident in the process at connection time. … |
| Remediation | The primary remediation is to upgrade Tera Term to the fixed version specified in the vendor advisory at https://teratermproject.github.io/SA/JVN65294474-en.html - no exact patched version number was included in the available input data, so users must consult that page directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-196 – Unsigned to Signed Conversion Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45140
GHSA-mmcg-pw3p-cwjh