===========================================================
== Subject:     Specially crafted patterns could cause DoS
==
== CVE ID#:     CVE-2026-0967
==
== Versions:    libssh < 0.11.4; < 0.12.0
==
== Summary:     Pattern matching at various places in libssh could
==              lead to complex backtracking causing timeouts.
==
== Component:   server and client
==
===========================================================

===========
Description
===========

The function `match_pattern()` is used to match conditionals in client
configuration files or known hosts against the hostname the client is
connecting to.

When the configuration file or known_hosts file is controlled by the
attacker, connecting to specific hostnames could cause timeouts and
resource exhaustion due to the ineffective backtracking of complex
regular expressions.

The pattern matching was modified to avoid the needless backtracing.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.11.4 and 0.12.0 have been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L (2.2)

==========
Workaround
==========

Avoid using complex patterns in configuration files and known_hosts.

=======
Credits
=======

Originally reported by Kang Yang, Yunhang Zhang and Jun Xu.
Patches provided by Jakub Jelen of the libssh team.

==========================================================
== The libssh team
==========================================================