Libssh: libssh: denial of service due to malformed sftp message
A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.
References
- RHBZ#2436982 issue-tracking x_refsource_REDHAT
- https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/
- https://access.redhat.com/security/cve/CVE-2026-0968 x_refsource_REDHAT vdb-entry
Affected products
Matching in nixpkgs
pkgs.libssh
SSH client library
pkgs.libssh2
Client-side C library implementing the SSH2 protocol
pkgs.haskellPackages.libssh
libssh bindings
pkgs.haskellPackages.libssh2
FFI bindings to libssh2 SSH2 client library (http://libssh2.org/)
-
nixos-unstable 0.2.0.9-unstable-2025-04-03
- nixpkgs-unstable 0.2.0.9-unstable-2025-04-03
- nixos-unstable-small 0.2.0.9-unstable-2025-04-03
-
nixos-25.11 0.2.0.9-unstable-2025-04-03
- nixos-25.11-small 0.2.0.9-unstable-2025-04-03
- nixpkgs-25.11-darwin 0.2.0.9-unstable-2025-04-03
pkgs.haskellPackages.libssh2-conduit
Conduit wrappers for libssh2 FFI bindings (see libssh2 package)
pkgs.python312Packages.ansible-pylibssh
Python bindings to client functionality of libssh specific to Ansible use case
pkgs.python313Packages.ansible-pylibssh
Python bindings to client functionality of libssh specific to Ansible use case
pkgs.python314Packages.ansible-pylibssh
Python bindings to client functionality of libssh specific to Ansible use case
Package maintainers
-
@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@geluk Johan Geluk <johan+nix@geluk.io>
-
@mpscholten Marc Scholten <marc@digitallyinduced.com>
-
@wfdewith Wim de With <wf@dewith.io>