Information disclosure and denial of service via crafted SFTP response
Summary
libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation. A flaw in libssh2's sftp_symlink() function allows a malicious SSH server or man-in-the-middle attacker to trigger an out-of-bounds heap read via a crafted SSH_FXP_NAME response. This can disclose heap memory contents or crash the application, causing a denial of service (DoS). This Moderate-impact out-of-bounds heap read flaw in libssh2 allows a malicious SSH server or man-in-the-middle attacker to crash the application (DoS) or disclose heap memory by sending a crafted SFTP response. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H). Weakness: CWE-125. Fixed by RHSA-2026:30132 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
- libssh2-main-1.11.1-9.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- libssh2-main-1.11.1-9.hum1
- RHSA-2026:30132
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Implement strict network egress filtering to allow outbound SSH/SFTP traffic only to known, trusted endpoints. Additionally, enforce strict SSH host key checking in your libssh2 client applications to reject unknown servers and prevent Man-in-the-Middle (MitM) attacks.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.