Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector confirmed by SSH protocol; PR:N because attacker controls the server and needs no client-side credentials; UI:R because victim must initiate the connection.
Primary rating from Vendor (jpcert).
CVSS VectorVendor: jpcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory regions may be transmitted to the server, and Tera Term may behave unexpected or terminate abnormally.
AnalysisAI
Out-of-bounds read/write in the TTSSH2 SSH plugin of Tera Term exposes users who connect to attacker-controlled SSH servers to memory disclosure and process crashes. A malicious SSH server can send crafted packets with inconsistent length parameters during connection establishment, causing the TTSSH2 plugin to read and write beyond allocated buffer boundaries - leaking adjacent memory contents (potentially including session data or credentials) back to the attacker's server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must actively initiate an SSH connection from a Windows system running Tera Term with the TTSSH2 plugin to an SSH server controlled by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 score of 6.3 (Medium) reflects a balanced but real threat: AV:N/AC:L indicates the attack is network-reachable with low complexity, but UI:R caps severity because the victim must actively initiate the SSH connection to the attacker's server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a domain, deploys a malicious SSH server, and delivers a phishing message or DNS-redirects a Tera Term user to connect to it. Upon connection initiation, the malicious server responds with SSH handshake packets containing deliberately inconsistent length fields. … |
| Remediation | Consult the TeraTerm Project security advisory at https://teratermproject.github.io/SA/JVN65294474-en.html for the official patched release version - no specific fixed version number was present in the intelligence data available for this analysis, so the exact upgrade target must be confirmed from the advisory before patching. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45139
GHSA-qcvw-2hm7-q2rp