Description
A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.
Published: 2026-03-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read enabling remote information disclosure
Action: Patch
AI Analysis

Impact

This vulnerability resides in the SFTP Extension Name Handler of libssh, specifically in the functions sftp_extensions_get_name and sftp_extensions_get_data. It allows an attacker to cause an out-of-bounds read by manipulating the index argument, potentially leaking arbitrary memory contents. The issue is not a code‑execution flaw but can expose sensitive data stored in the process’s memory, such as credentials or encryption keys, thereby compromising confidentiality.

Affected Systems

All installations of libssh up to and including version 0.11.3 are affected. Versions 0.11.4 and 0.12.0 include the fixed commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. The library is used by a variety of applications that provide SFTP services, so any deployment that employs the vulnerable libssh library is at risk.

Risk and Exploitability

The CVSS v3.1 score of 6.9 signifies a moderate severity, and the EPSS score of <1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attack requires remote access to the SFTP service and the ability to send crafted requests that trigger the out-of-bounds read. If an attacker achieves successful exploitation, they could read arbitrary data from the server’s memory, leading to information disclosure. Because the flaw is in an out-of-bounds read rather than a remote code‑execution vector, immediate exploitation is unlikely, but the impact on confidentiality should still be mitigated.

Generated by OpenCVE AI on April 16, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh to the fixed releases 0.11.4 or 0.12.0
  • Restart all services that link against libssh to ensure the updated library is in use
  • If an upgrade is temporarily infeasible, block or disable the SFTP protocol for external clients to prevent the vulnerable function from being exercised

Generated by OpenCVE AI on April 16, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 08 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.
Title libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds
First Time appeared Libssh
Libssh libssh
Weaknesses CWE-119
CWE-125
CPEs cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
Vendors & Products Libssh
Libssh libssh
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Libssh Libssh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:50:33.441Z

Reserved: 2026-03-07T17:52:02.964Z

Link: CVE-2026-3731

cve-icon Vulnrichment

Updated: 2026-03-11T19:50:30.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T11:15:50.307

Modified: 2026-03-12T19:02:31.637

Link: CVE-2026-3731

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-08T10:32:19Z

Links: CVE-2026-3731 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:30:13Z

Weaknesses