Description
libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
Published: 2026-06-18
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libssh2 versions through 1.11.1 possess an out‑of‑bounds heap read in the sftp_symlink() routine. A malicious SSH server or a man‑in‑the‑middle attacker can send a crafted SSH_FXP_NAME response with a link_len that exceeds the actual packet size for SFTP READLINK or REALPATH operations. The code copies the packet data without validating that the buffer is large enough, causing a heap buffer over‑read of up to target_len minus one bytes. An attacker may thus read arbitrary memory contents or trigger a crash, impacting confidentiality and availability.

Affected Systems

The vulnerability affects any installation of libssh2 prior to the fix in commit 2dae302, which corresponds to version 1.11.1 and earlier. All systems or applications that link against these versions of the library are potentially affected. The update is available in the library’s source repository and should be incorporated into any build that uses libssh2.

Risk and Exploitability

The CVSS score of 8.3 marks this flaw as high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Exploitation requires an attacker to control or intercept an SFTP session and send the malformed response; therefore, the attack vector is local to the SSH sftp channel rather than arbitrary network access. The lack of external exposure limits immediate risk, but any compromise of the SFTP interface can lead to data leakage or destabilization of the client or server process.

Generated by OpenCVE AI on June 18, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh2 to a version that includes the fix from commit 2dae302 or later.
  • If an upgrade is not possible, configure the SSH client or server to disallow SFTP READLINK and REALPATH operations from untrusted hosts, thereby preventing the vulnerable code path from being exercised.
  • Rebuild or recompile dependent applications with the patched libssh2 source to ensure the vulnerable function is removed from the runtime environment.

Generated by OpenCVE AI on June 18, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6365-1 libssh2 security update
Ubuntu USN Ubuntu USN USN-8486-1 libssh2 vulnerabilities
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Libssh2
Libssh2 libssh2
Vendors & Products Libssh2
Libssh2 libssh2

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
Title libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:13:21.698Z

Reserved: 2026-06-18T20:12:38.095Z

Link: CVE-2025-15661

cve-icon Vulnrichment

Updated: 2026-06-22T18:07:07.454Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-18T20:18:29Z

Links: CVE-2025-15661 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses