Description
The API function `ssh_get_hexa()` is vulnerable, when 0-lenght
input is provided to this function. This function is used internally
in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),
which is vulnerable to the same input (length is provided by the
calling application).

The function is also used internally in the gssapi code for logging
the OIDs received by the server during GSSAPI authentication. This
could be triggered remotely, when the server allows GSSAPI authentication
and logging verbosity is set at least to SSH_LOG_PACKET (3). This
could cause self-DoS of the per-connection daemon process.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (self‑DoS) caused by buffer underflow in libssh
Action: Immediate Patch
AI Analysis

Impact

A zero‑length input supplied to the libssh function ssh_get_hexa() triggers a buffer underflow. The function is utilized by ssh_get_fingerprint_hash() and the deprecated ssh_print_hexa(), and is also employed in GSSAPI authentication logging. This unvalidated input can cause the per‑connection SSH daemon to crash or become unresponsive, resulting in a denial of service. The weakness is a classic buffer underflow (CWE‑124) and has no direct impact on confidentiality or integrity.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux releases 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. The affected component is the libssh library, particularly versions used in the sshd server on these platforms. Exact libssh version numbers are not specified in the data, but the issue applies to the bundles shipped with the indicated operating systems and container platform.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate impact, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Remote exploitation requires that the SSH server allow GSSAPI authentication and that logging level is configured to SSH_LOG_PACKET (the numeric value 3) or higher. An attacker who satisfies those prerequisites can trigger the denial of service by initiating a GSSAPI authentication attempt. Because the effect is self‑DoS rather than privilege escalation or data exfiltration, the overall risk is limited to availability degradation, although a high volume of triggered events could contribute to a larger denial‑of‑service scenario.

Generated by OpenCVE AI on April 15, 2026 at 15:39 UTC.

Remediation

Vendor Workaround

To mitigate this issue, consider disabling GSSAPI authentication if it is not required, or reduce the `LogLevel` in the `sshd_config` file to a value lower than `SSH_LOG_PACKET` (e.g., `INFO`). To disable GSSAPI authentication, add or modify the following line in `/etc/ssh/sshd_config`: `GSSAPIAuthentication no` To reduce logging verbosity, add or modify the following line in `/etc/ssh/sshd_config`: `LogLevel INFO` After making changes to `sshd_config`, the `sshd` service must be restarted for the changes to take effect. This may temporarily interrupt active SSH sessions.

OpenCVE Recommended Actions

  • Update the libssh package to a patched release provided by Red Hat (e.g., the security releases for libssh 0.12.0 and 0.11.4).
  • If an immediate update is not feasible, disable GSSAPI authentication by adding or modifying the line "GSSAPIAuthentication no" in /etc/ssh/sshd_config and restarting the sshd service to apply the change.
  • Alternatively, reduce the SSH LogLevel to INFO or lower than SSH_LOG_PACKET by setting "LogLevel INFO" in /etc/ssh/sshd_config and restarting sshd.

Generated by OpenCVE AI on April 15, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8051-2 libssh vulnerabilities
History

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.
Title libssh: Buffer underflow in ssh_get_hexa() on invalid input Libssh: buffer underflow in ssh_get_hexa() on invalid input
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-124
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Libssh
Libssh libssh
Vendors & Products Libssh
Libssh libssh

Wed, 11 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libssh: Buffer underflow in ssh_get_hexa() on invalid input
References
Metrics threat_severity

None

 threat_severity

Moderate

Subscriptions

Libssh Libssh
Redhat Enterprise Linux Hummingbird Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-18T18:05:53.971Z

Reserved: 2026-01-14T21:54:59.132Z

Link: CVE-2026-0966

cve-icon Vulnrichment

Updated: 2026-03-27T19:52:27.669Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T21:17:00.783

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-0966

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-10T18:47:15Z

Links: CVE-2026-0966 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses