CVE-2026-0966

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2026-0966
https://bugzilla.redhat.com/show_bug.cgi?id=2433121
https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 21:17

Updated : 2026-03-30 13:26

NVD link : CVE-2026-0966

Mitre link : CVE-2026-0966

CVE.ORG link : CVE-2026-0966

JSON object : View

Products Affected

No product.

CWE

CWE-124

Buffer Underwrite ('Buffer Underflow')

{"id": "CVE-2026-0966", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T21:17:00.783", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-0966", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433121", "source": "secalert@redhat.com"}, {"url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-124"}]}], "descriptions": [{"lang": "en", "value": "The API function `ssh_get_hexa()` is vulnerable, when 0-lenght\ninput is provided to this function. This function is used internally\nin `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),\nwhich is vulnerable to the same input (length is provided by the\ncalling application).\n\nThe function is also used internally in the gssapi code for logging\nthe OIDs received by the server during GSSAPI authentication. This\ncould be triggered remotely, when the server allows GSSAPI authentication\nand logging verbosity is set at least to SSH_LOG_PACKET (3). This\ncould cause self-DoS of the per-connection daemon process."}, {"lang": "es", "value": "La funci\u00f3n API 'ssh_get_hexa()' es vulnerable cuando se proporciona una entrada de longitud 0 a esta funci\u00f3n. Esta funci\u00f3n se utiliza internamente en 'ssh_get_fingerprint_hash()' y 'ssh_print_hexa()' (obsoleta), la cual es vulnerable a la misma entrada (la longitud es proporcionada por la aplicaci\u00f3n que realiza la llamada).\n\nLa funci\u00f3n tambi\u00e9n se utiliza internamente en el c\u00f3digo gssapi para registrar los OID recibidos por el servidor durante la autenticaci\u00f3n GSSAPI. Esto podr\u00eda activarse de forma remota cuando el servidor permite la autenticaci\u00f3n GSSAPI y la verbosidad del registro se establece al menos en SSH_LOG_PACKET (3). Esto podr\u00eda causar un auto-DoS del proceso demonio por conexi\u00f3n."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "secalert@redhat.com"}