===========================================================
== Subject:     OOB Read in sftp_parse_longname()
==
== CVE ID#:     CVE-2026-0968
==
== Versions:    libssh < 0.11.4; < 0.12.0
==
== Summary:     Possible read behind bounds of longname
==
== Component:   SFTP client
==
===========================================================

===========
Description
===========

A malicious SFTP server can send malformed longname field of the
`SSH_FXP_NAME` message (file listing). Due to the missing NULL check,
the libssh could read beyond the buffer bounds on heap, causing
unexpected behavior or crashes.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.11.4 and 0.12.0 have been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L (3.1)

==========
Workaround
==========

Properly verify the identity of the SFTP servers you are connecting
to using SFTP before proceeding.

=======
Credits
=======

Originally reported by nevv of CTyun Red-Shield Security Lab.
Patches provided by Jakub Jelen of the libssh team.

==========================================================
== The libssh team
==========================================================