Skip to main content

libssh2 EUVDEUVD-2025-210285

| CVE-2025-15661 HIGH
Out-of-bounds Read (CWE-125)
2026-06-18 VulnCheck GHSA-3wqh-87fg-ffgg
8.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable via SFTP response, but attacker must control or MitM the server (AC:H); no client auth needed (PR:N/UI:N); leaks heap (C:L) and crashes client (A:H), no integrity impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 20:47 vuln.today
Analysis Generated
Jun 18, 2026 - 20:47 vuln.today

DescriptionCVE.org

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.

AnalysisAI

Out-of-bounds heap read in libssh2 through 1.11.1 enables a malicious SFTP server or man-in-the-middle attacker to leak heap memory or crash client applications by sending a crafted SSH_FXP_NAME response with an inflated link_len during READLINK or REALPATH operations. The library is embedded in many SSH/SFTP clients (curl, Git tooling, language bindings), so impact extends to anywhere libssh2 is used as a client. No public exploit identified at time of analysis, but a vendor patch (commit 2dae302) is available and the issue was reported by VulnCheck.

Technical ContextAI

libssh2 is a widely embedded C client library implementing the SSH2 protocol, used by curl, Git wrappers, scripting language bindings, and numerous network tools. The flaw is a CWE-125 out-of-bounds read in sftp_symlink() in src/sftp.c: when parsing SSH_FXP_NAME responses returned for SFTP READLINK and REALPATH requests, the code copies link_len bytes from the response packet into a buffer without verifying that link_len fits within the remaining packet payload (data_len - 13 bytes of header). A hostile server can therefore declare a link length larger than the actual data, causing memcpy to read adjacent heap memory up to target_len - 1 bytes past the legitimate buffer.

RemediationAI

Upstream fix available (commit 2dae3024897e1898d389835151f4e9606227721d via PR #1705 and PR #1717); a tagged patched release beyond 1.11.1 is not independently confirmed from the provided data, so rebuild against the patched source or wait for the next libssh2 release and then update all downstream packages that embed libssh2 (curl, libgit2 wrappers, language bindings). As a compensating control until you can deploy the patched library, restrict SFTP client operations to known-trusted servers reached over authenticated channels with strict host key verification (StrictHostKeyChecking) to mitigate MitM, and where feasible avoid invoking SFTP symlink resolution operations (readlink, realpath) against untrusted endpoints - at the cost of breaking workflows that rely on resolving symbolic links. Network egress filtering that limits which SSH/SFTP endpoints clients may reach further reduces exposure to malicious servers.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

EUVD-2025-210285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy