EUVD-2025-23900

| CVE-2025-5318 HIGH
2025-06-24 [email protected]
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-23900
CVE Published
Jun 24, 2025 - 14:15 nvd
HIGH 8.1

Tags

Buffer Overflow Enterprise Linux Openshift Container Platform Libssh Redhat Suse

Description

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Analysis

CVE-2025-5318 is an out-of-bounds read vulnerability in libssh versions before 0.11.2 caused by an incorrect comparison check in the sftp_handle function that allows authenticated remote attackers to access memory beyond the valid handle list and retrieve invalid pointers for further processing. This vulnerability enables exposure of sensitive information or denial of service, with a CVSS score of 8.1 indicating high severity. The vulnerability requires authentication and network access but has high confidentiality and availability impact.

Technical Context

libssh is a multipurpose SSH library used for implementing SSH protocols in client and server applications. The vulnerability exists in the SFTP (SSH File Transfer Protocol) subsystem, specifically in the sftp_handle function responsible for managing file handles during SFTP operations. The root cause is classified under CWE-125 (Out-of-bounds Read), stemming from an incorrect comparison operator or boundary check that fails to properly validate array indices before accessing the handle list. This allows an authenticated user with valid SSH credentials to craft malicious SFTP requests that reference handle indices beyond the allocated buffer, causing the function to read arbitrary memory and return invalid pointers that are subsequently dereferenced in downstream operations. The affected CPE scope includes libssh:libssh versions < 0.11.2 across all platforms where it is deployed (Windows, Linux, macOS, embedded systems).

Affected Products

libssh library versions < 0.11.2 are affected across all distributions. Specific affected versions include: libssh 0.11.1, 0.11.0, 0.10.x and all earlier 0.x series. Products embedding libssh include: git (libgit2 with libssh backend), OpenSSH (if compiled with libssh), various embedded systems SSH clients/servers, network appliances with SFTP functionality, and containerized applications using libssh-based SSH implementations. CPE scope: cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* (versions < 0.11.2). Remediation is available in libssh 0.11.2 and later versions. Users should consult vendor advisories for upstream projects (git, OpenSSH distributions, appliance vendors) for patched releases incorporating libssh >= 0.11.2.

Remediation

Immediate actions: (1) Upgrade libssh to version 0.11.2 or later from https://www.libssh.org/; (2) Verify all dependent software (git, application servers, network appliances) has been updated with patched libssh versions; (3) Review SSH access logs for suspicious SFTP handle requests targeting high indices. Temporary mitigations pending patching: (a) Restrict SSH/SFTP access to trusted IP ranges via firewall or SSH daemon configuration (ListenAddress directive); (b) Implement SSH public key authentication only and disable password authentication to reduce credential compromise risk; (c) Monitor SFTP connections for anomalous patterns using network IDS/IPS or SSH audit logging; (d) Run libssh-dependent services with minimal privilege (dedicated unprivileged user accounts). Patch verification: After upgrading, confirm libssh version with 'ssh -V' or library version checks; run regression tests on SFTP operations to ensure functionality. Vendor patch status: libssh project has released 0.11.2 as official remediation; downstream vendors (Debian, Ubuntu, RHEL, Alpine, etc.) will release updates via their respective security channels.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +40
POC: 0

Vendor Status

Ubuntu

Priority: Medium
libssh
Release Status Version
jammy released 0.9.6-2ubuntu0.22.04.4
upstream released 0.11.2
noble released 0.10.6-2ubuntu0.1
oracular released 0.10.6-3ubuntu1.1
plucky released 0.11.1-1ubuntu0.1
bionic released 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm4
focal released 0.9.3-2ubuntu2.5+esm1
xenial released 0.6.3-4.3ubuntu0.6+esm2
USN-7619-1 USN-7696-1

Debian

Bug #1108407
libssh
Release Status Fixed Version Urgency
bullseye fixed 0.9.8-0+deb11u2 -
bullseye (security) fixed 0.9.8-0+deb11u2 -
bookworm fixed 0.10.6-0+deb12u2 -
bookworm (security) vulnerable 0.10.6-0+deb12u1 -
trixie fixed 0.11.2-1+deb13u1 -
forky fixed 0.11.3-1 -
sid fixed 0.12.0-1 -
(unstable) fixed 0.11.2-1 -
DLA-4385-1

Share

EUVD-2025-23900 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy