Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds read after establishing a connection which would leak the adjacent stack memory to the pseudo-console output.
AnalysisAI
Out-of-bounds read in wolfSSHd on Windows allows authenticated users to leak adjacent stack memory via malformed terminal resize requests, exposing sensitive data through pseudo-console output. Affects wolfSSH versions prior to 1.5.0. CVSS score of 2.3 reflects low severity due to authentication requirement and limited confidentiality impact; vendor patch available.
Technical ContextAI
wolfSSH is a lightweight SSH server/client library used in embedded and resource-constrained environments. The vulnerability exists in the terminal resize request handler (likely CHANNEL_REQUEST for pty-req with window-change), which fails to properly validate buffer boundaries when processing resize data on Windows. The out-of-bounds read (CWE-126: Buffer Over-read) occurs in code handling pseudo-console (ConPTY) operations specific to Windows terminals. An authenticated SSH client sends a specially crafted resize request containing invalid dimensions or malformed data, causing the handler to read beyond allocated buffer bounds. The leaked stack memory is then transmitted to the client via the pseudo-console output stream, violating data confidentiality.
RemediationAI
Upgrade wolfSSH to version 1.5.0 or later, which includes the patch referenced in GitHub PR #846. The fix validates terminal resize request bounds and prevents out-of-bounds reads from pseudo-console handlers. If immediate upgrade is not feasible, apply the upstream fix from the merged PR #846 (https://github.com/wolfssl/wolfssh/pull/846) by building from the patched commit. As a temporary compensating control with significant limitations, restrict SSH access to wolfSSHd instances to trusted networks only (e.g., VPN, private subnets) to reduce credential compromise risk that enables this attack; however, this does NOT prevent exploitation by legitimate authenticated users and should not be relied upon as primary mitigation. Disable terminal/PTY functionality entirely if not required (disable CHANNEL_REQUEST handling for pty-req in configuration) - this eliminates the attack surface but breaks interactive terminal sessions.
Same weakness CWE-126 – Buffer Over-read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23950