Skip to main content

SSH EUVDEUVD-2026-16326

| CVE-2026-0964 MEDIUM
Path Traversal (CWE-22)
2026-03-26 redhat
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Ubuntu
MEDIUM
qualitative
SUSE
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Red Hat
5.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
CVSS changed
Apr 30, 2026 - 16:52 NVD
5.0 (MEDIUM) 6.3 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16326
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:06 nvd
MEDIUM 5.0

DescriptionCVE.org

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences.

This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

AnalysisAI

SCP client implementations across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to path traversal during file transfer, allowing a malicious SCP server to write files outside the designated working directory and potentially execute arbitrary code or modify system configuration. This vulnerability mirrors CVE-2019-6111 in OpenSSH; unauthenticated remote attackers can exploit it with high user interaction (the victim must initiate an SCP connection to a malicious server), resulting in confidentiality, integrity, and availability compromise. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal flaw in the Secure Copy Protocol (SCP) implementation. When an SCP server responds to a client file transfer request, it can embed directory traversal sequences (such as '../') in file paths; a vulnerable client will blindly accept these paths and write files outside the intended working directory without sanitization. The affected products span multiple Red Hat Enterprise Linux major versions (6, 7, 8, 9, and 10) plus OpenShift Container Platform 4, all identified via their respective CPE strings (cpe:2.3:a:red_hat:red_hat_enterprise_linux_*). The root cause is insufficient input validation of server-supplied paths before local file operations, allowing attackers to exploit the trust relationship between client and server.

RemediationAI

Apply Red Hat-released patches for affected RHEL versions (6, 7, 8, 9, and 10) and OpenShift Container Platform 4 by consulting the official advisory at https://access.redhat.com/security/cve/CVE-2026-0964. Exact patched versions are not specified in currently available data; contact Red Hat support or monitor the advisory for version-specific updates. As an interim workaround pending patching, restrict SCP connections to trusted servers only by implementing firewall rules or SSH configuration policies (e.g., ProxyJump or bastion host requirements), disable SCP entirely if not required and use alternatives such as SFTP (which includes path validation), or conduct security awareness training to remind users not to initiate SCP transfers to untrusted or unexpected servers. Review Bugzilla ticket https://bugzilla.redhat.com/show_bug.cgi?id=2436979 for status updates and available patch timelines.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Vendor StatusVendor

Ubuntu

Priority: Medium
libssh
Release Status Version
upstream released 0.11.4
jammy released 0.9.6-2ubuntu0.22.04.6
noble released 0.10.6-2ubuntu0.3
questing released 0.11.2-1ubuntu0.2
bionic released 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm6
focal released 0.9.3-2ubuntu2.5+esm3
xenial released 0.6.3-4.3ubuntu0.6+esm4

Debian

Bug #1127693
libssh
Release Status Fixed Version Urgency
bullseye vulnerable 0.9.8-0+deb11u1 -
bullseye (security) vulnerable 0.9.8-0+deb11u2 -
bookworm vulnerable 0.10.6-0+deb12u2 -
bookworm (security) vulnerable 0.10.6-0+deb12u1 -
trixie vulnerable 0.11.2-1+deb13u1 -
forky vulnerable 0.11.3-1 -
sid fixed 0.12.0-3 -
(unstable) fixed 0.12.0-1 -

SUSE

Severity: Low
Product Status
Container private-registry/harbor-trivy-adapter:1.1.1-1.40 Container suse/manager/5.0/x86_64/server:latest Image SLES15-SP7-CHOST-BYOS-Aliyun Image SLES15-SP7-CHOST-BYOS-Azure Image SLES15-SP7-CHOST-BYOS-EC2 Image SLES15-SP7-CHOST-BYOS-GCE Image SLES15-SP7-CHOST-BYOS-GDC Image SLES15-SP7-CHOST-BYOS-SAP-CCloud Image SLES15-SP7-SAP-BYOS-EC2 Image SLES15-SP7-SAP-GCE-3P Image SLES15-SP7-SAP-Hardened-BYOS-EC2 Image pr_15_7 Affected
Container suse/ltss/sle12.5/sles12sp5:8.5.205 Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.59 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.80 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.85 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.73 Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sle-micro-rancher/5.2:latest Container suse/sle-micro/5.2/toolbox:14.2-7.11.242 Affected

Share

EUVD-2026-16326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy