libssh2 versions through 1.11.1 possess an out‑of‑bounds heap read in the sftp_symlink() routine. A malicious SSH server or a man‑in‑the‑middle attacker can send a crafted SSH_FXP_NAME response with a link_len that exceeds the actual packet size for SFTP READLINK or REALPATH operations. The code copies the packet data without validating that the buffer is large enough, causing a heap buffer over‑read of up to target_len minus one bytes. An attacker may thus read arbitrary memory contents or trigger a crash, impacting confidentiality and availability.

The vulnerability affects any installation of libssh2 prior to the fix in commit 2dae302, which corresponds to version 1.11.1 and earlier. All systems or applications that link against these versions of the library are potentially affected. The update is available in the library’s source repository and should be incorporated into any build that uses libssh2.

The CVSS score of 8.3 marks this flaw as high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Exploitation requires an attacker to control or intercept an SFTP session and send the malformed response; therefore, the attack vector is local to the SSH sftp channel rather than arbitrary network access. The lack of external exposure limits immediate risk, but any compromise of the SFTP interface can lead to data leakage or destabilization of the client or server process.