=========================================================== == Subject: Possible Denial of Service when parsing unexpected configuration files == == CVE ID#: CVE-2026-0965 == == Versions: libssh < 0.11.4; < 0.12.0 == == Summary: The libssh can attempt to read non-regular files when misconfigured, == which could cause resource exhaustion or blocking. == == Component: server and client == =========================================================== =========== Description =========== The libssh can try to open any file during configuration parsing, when misconfigured or when local attacker can provide malicious configuration. This applies for all configuration loaded from default location, configuration provided through the `ssh_config_parse_file()` and `ssh_bind_config_parse_file()` functions as well as configuration files included from them directly or through glob wildcards. The possibly dangerous files involve block devices, fifo, named pipe or huge system files that could cause Denial of Service. The solution here is allowing to read only regular files and enforcing configuration file size limit of 16MB. Currently, maximum line length of a configuration file is 1K so this will effectively mean configuration files of 16K lines should still keep working. ================== Patch Availability ================== Patches addressing the issues have been posted to: https://www.libssh.org/security/ Additionally, libssh 0.11.4 and 0.12.0 have been issued as security releases to correct the defect. SSH administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (3.3) ========== Workaround ========== Make sure the client and server is using only regular files as configuration. ======= Credits ======= Originally reported by Kang Yang, Yunhang Zhang and Jun Xu. Patches provided by Jakub Jelen of the libssh team. ========================================================== == The libssh team ==========================================================