Denial of Service via crafted SSH_MSG_EXT_INFO message
Summary
libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops. A vulnerability in libssh2 allows a malicious SSH server to freeze connected clients during the handshake process. By sending a malformed packet, the server triggers a loop that exhausts the client's CPU, resulting in a denial of service. A Moderate-rated denial of service vulnerability in the libssh2 client allows a malicious SSH server to freeze the connecting application. By triggering an infinite CPU loop during the initial connection handshake, the server can render the client unresponsive. Note: Red Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-606. Fixed by RHSA-2026:29950 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
- libssh2-main-1.11.1-8.hum1
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- libssh2-main-1.11.1-8.hum1
- RHSA-2026:29950
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, ensure your libssh2 clients only connect to trusted SSH servers. You can enforce this by implementing outbound network access controls (egress filtering) to block applications from initiating connections to unknown or untrusted external hosts.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.