libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
Summary
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. An out-of-bounds write vulnerability exists in the libssh2 client. A remote attacker can exploit this by sending a specially crafted SSH packet with an abnormally large length value. This corrupts the application's memory and can potentially allow the attacker to execute arbitrary code on the affected system. An Important out-of-bounds write vulnerability was discovered in libssh2. As it only impacts client installations of the library, exploitation would require a victim to initiate an SSH connection to an attacker-controlled server. This means an attacker must first redirect client connections via DNS poisoning, a man-in-the-middle, or compromise of a trusted host. While the vulnerability does not require authentication and requires no special configuration, the client redirection prerequisites significantly limit the practical attack surface compared to a server-side flaw. The integer overflow provides uncontrolled access to the heap, which reliably crashes the client process but is unlikely to achieve remote code execution in practice. Weaponizing the overflow for code execution would require a separate information disclosure vulnerability to defeat ASLR, along with a specific heap layout to place exploitable structures adjacent to the undersized allocation. On RHEL, ASLR is enabled by default and glibc's heap metadata integrity checks further raise the bar, making denial of service the realistic impact for most deployments. Red Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package. Red Hat severity: Moderate — CVSS 7.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L). Fixed by RHSA-2026:29950 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6.
- libssh2-main-1.11.1-8.hum1
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
- libssh2-main-1.11.1-8.hum1
- RHSA-2026:29950
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
- The primary mitigation is strict network access control. Ensure libssh2 clients only connect to trusted SSH servers, and use firewalls to block untrusted incoming connections if libssh2 is deployed as a server-side application.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.