Description
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
Published: 2026-03-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was found in libssh. The API function ssh_get_hexa() is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI authentication if the server’s logging verbosity is set to SSH_LOG_PACKET (3) or higher. Successful exploitation could lead to a self‑Denial of Service of the per‑connection daemon process. The issue is a classic buffer underflow (CWE‑124) and has no direct impact on confidentiality or integrity.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux releases 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. The affected component is the libssh library, particularly versions used in the sshd server on these platforms. Exact libssh version numbers are not specified in the data, but the issue applies to the bundles shipped with the indicated operating systems and container platform.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Remote exploitation requires that the SSH server allow GSSAPI authentication and that logging level is configured to SSH_LOG_PACKET (the numeric value 3) or higher. An attacker who satisfies those prerequisites can trigger the denial of service by initiating a GSSAPI authentication attempt. Because the effect is self‑DoS rather than privilege escalation or data exfiltration, the overall risk is limited to availability degradation, although a high volume of triggered events could contribute to a larger denial‑of‑service scenario.

Generated by OpenCVE AI on May 11, 2026 at 17:54 UTC.

Remediation

Vendor Workaround

To mitigate this issue, consider disabling GSSAPI authentication if it is not required, or reduce the `LogLevel` in the `sshd_config` file to a value lower than `SSH_LOG_PACKET` (e.g., `INFO`). To disable GSSAPI authentication, add or modify the following line in `/etc/ssh/sshd_config`: `GSSAPIAuthentication no` To reduce logging verbosity, add or modify the following line in `/etc/ssh/sshd_config`: `LogLevel INFO` After making changes to `sshd_config`, the `sshd` service must be restarted for the changes to take effect. This may temporarily interrupt active SSH sessions.

OpenCVE Recommended Actions

  • Update the libssh package to a patched release provided by Red Hat (e.g., the security releases for libssh 0.12.0 and 0.11.4).
  • If an immediate update is not feasible, disable GSSAPI authentication by adding or modifying the line "GSSAPIAuthentication no" in /etc/ssh/sshd_config and restarting the sshd service to apply the change.
  • Alternatively, reduce the SSH LogLevel to INFO or lower than SSH_LOG_PACKET by setting "LogLevel INFO" in /etc/ssh/sshd_config and restarting sshd.

Generated by OpenCVE AI on May 11, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8051-2 libssh vulnerabilities
History

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.2
References

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process. A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
Title Libssh: buffer underflow in ssh_get_hexa() on invalid input Libssh: libssh: denial of service via zero-length input in ssh_get_hexa()
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

 cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Redhat openshift Container Platform
CPEs cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat hardened Images
Redhat openshift Container Platform
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Fri, 24 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.
Title libssh: Buffer underflow in ssh_get_hexa() on invalid input Libssh: buffer underflow in ssh_get_hexa() on invalid input
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-124
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Libssh
Libssh libssh
Vendors & Products Libssh
Libssh libssh

Wed, 11 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libssh: Buffer underflow in ssh_get_hexa() on invalid input
References
Metrics threat_severity

None

 threat_severity

Moderate

Subscriptions

Libssh Libssh
Redhat Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-19T13:17:00.782Z

Reserved: 2026-01-14T21:54:59.132Z

Link: CVE-2026-0966

cve-icon Vulnrichment

Updated: 2026-03-27T19:52:27.669Z

cve-icon NVD

Status : Modified

Published: 2026-03-26T21:17:00.783

Modified: 2026-05-19T14:16:36.260

Link: CVE-2026-0966

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-10T18:47:15Z

Links: CVE-2026-0966 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:00:14Z

Weaknesses