CVE-2026-3731Improper Restriction of Operations within the Bounds of a Memory Buffer in Libssh

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-125Out-of-bounds Read8 documents8 sources
Severity
6.9MEDIUMNVD
EPSS
0.1%
top 71.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LibsshDebian LibsshMsrc Azl3 Libssh 0.10.6-5 ON Azure Linux 3.0+1 more
Timeline
PublishedMar 8
Latest updateMar 16

Description

A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages6 packages

debiandebian/libssh< libssh 0.12.0-1 (forky)
Debianlibssh/libssh< 0.12.0-1
NVDlibssh/libssh0.11.3
CVEListV5libssh/libssh4 versions+3

Patches

Patch: gitlab.comPatch: www.libssh.org

🔴Vulnerability Details

2
OSV
CVE-2026-3731: A weakness has been identified in libssh up to 02026-03-08
GHSA
GHSA-wg5h-wgv3-pgqh: A weakness has been identified in libssh up to 02026-03-08

📋Vendor Advisories

4
Ubuntu
libssh vulnerability2026-03-16
Microsoft
libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds2026-03-10
Red Hat
libssh: libssh: Denial of Service via out-of-bounds read in SFTP extension name handler2026-03-08
Debian
CVE-2026-3731: libssh - A weakness has been identified in libssh up to 0.11.3. The impacted element is t...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-3731 Impact, Exploitability, and Mitigation Steps | Wiz