libssh – The SSH Library!

This is a security release of libssh to address the following security issues:

CVE-2025-8114: Fix NULL pointer dereference after allocation failure
CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX

In addition version 0.11.3 contains several bugfixes and backports. For full list, see the changelog below. Thanks to Philippe Antoine and Francesco Rollo for the responsible disclosure.

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our IRC or Matrix channels if you have questions.

You can download libssh here.

CHANGELOG

Security:
- CVE-2025-8114: Fix NULL pointer dereference after allocation failure
- CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX
- Potential UAF when send() fails during key exchange
Bugfixes:
- Fix possible timeout during KEX if client sends authentication too early (#311)
- Cleanup OpenSSL PKCS#11 provider when loaded
- Zeroize buffers containing private key blobs during export

The SSH library!

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel, manage public keys and much more ...

Download

API

Report a bug

libssh 0.11.3 security and bugfix release

CHANGELOG