CVE-2026-0966 — Buffer Underflow in Libssh

CWE-124 — Buffer Underflow10 documents7 sources

Severity

6.5MEDIUMNVD

OSV3.1

EPSS

0.1%

top 71.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libssh Debian Libssh

Timeline

PublishedMar 26

Description

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication an…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶debiandebian/libssh< libssh 0.12.0-1 (forky)

▶Debianlibssh/libssh< 0.12.0-1

▶Ubuntulibssh/libssh< 0.9.6-2ubuntu0.22.04.6+5

🔴Vulnerability Details

GHSA

GHSA-wcqf-w94x-4wg2: The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function↗2026-03-26

▶

OSV

CVE-2026-0966: The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function↗2026-03-26

▶

OSV

libssh vulnerabilities↗2026-02-23

▶

OSV

libssh vulnerabilities↗2026-02-18

▶

📋Vendor Advisories

Ubuntu

libssh vulnerabilities↗2026-02-23

▶

Ubuntu

libssh vulnerabilities↗2026-02-18

▶

Red Hat

libssh: Buffer underflow in ssh_get_hexa() on invalid input↗2026-02-10

▶

Debian

CVE-2026-0966: libssh - The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0966 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶