CVE-2025-5318: A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect…

high8.1CVSS 3.1

AVNACLPRLUINSUCHINAH

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Affected

19 ranges

Vendor	Product	Version range	Fixed in
debian	libssh	< libssh 0.10.6-0+deb12u2 (bookworm)	libssh 0.10.6-0+deb12u2 (bookworm)
libssh	libssh	< 0.11.2	0.11.2
libssh	libssh	>= 0 < 0.9.8-0+deb11u2	0.9.8-0+deb11u2
libssh	libssh	>= 0 < 0.10.6-0+deb12u2	0.10.6-0+deb12u2
libssh	libssh	>= 0 < 0.11.2-1	0.11.2-1
libssh	libssh	>= 0 < 0.11.2-1	0.11.2-1
libssh	libssh	>= 0 < 0.9.6-2ubuntu0.22.04.4	0.9.6-2ubuntu0.22.04.4
libssh	libssh	>= 0 < 0.10.6-2ubuntu0.1	0.10.6-2ubuntu0.1
libssh	libssh	>= 0 < 0.6.3-4.3ubuntu0.6+esm2	0.6.3-4.3ubuntu0.6+esm2
libssh	libssh	>= 0 < 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm4	0.8.0~20170825.94fa1e38-1ubuntu0.7+esm4
libssh	libssh	>= 0 < 0.9.3-2ubuntu2.5+esm1	0.9.3-2ubuntu2.5+esm1
msrc	azl3_libssh_0.10.6-1_on_azure_linux_3.0	—	—
msrc	azl3_libssh_0.10.6-2_on_azure_linux_3.0	—	—
msrc	cbl2_libssh_0.10.6-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_libssh_0.10.6-2_on_cbl_mariner_2.0	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—
redhat	openshift_container_platform	—	—

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

osv8.1HIGH