CVE-2026-0966

NameCVE-2026-0966
DescriptionThe API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1127693

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libssh (PTS)bullseye0.9.8-0+deb11u1vulnerable
bullseye (security)0.9.8-0+deb11u2vulnerable
bookworm0.10.6-0+deb12u2vulnerable
bookworm (security)0.10.6-0+deb12u1vulnerable
trixie0.11.2-1+deb13u1vulnerable
forky, sid0.12.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsshsource(unstable)0.12.0-11127693

Notes

[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
[bullseye] - libssh <postponed> (Minor issue)
https://www.libssh.org/security/advisories/CVE-2026-0966.txt
Documentation: https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced (libssh-0.11.4)
Tests: https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8 (libssh-0.11.4)
Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117 (libssh-0.11.4)
Search for package or bug name: Reporting problems