Source: libssh2 Version: 1.11.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libssh2. CVE-2025-15661[0]: | libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of- | bounds heap read vulnerability in the sftp_symlink() function in | src/sftp.c that allows a malicious SSH server or man-in-the-middle | attacker to disclose heap memory contents or cause a crash by | sending a crafted SSH_FXP_NAME response. Attackers can supply a | link_len value larger than the actual packet data in SSH_FXP_NAME | responses for SFTP READLINK and REALPATH operations, triggering a | heap buffer over-read of up to target_len minus one bytes due to the | missing validation of available packet buffer size before the memcpy | operation. CVE-2026-55199[1]: | libssh2 through 1.11.1, fixed in commit 1762685, contains a pre- | authentication denial of service vulnerability in the | SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH | server to cause a client CPU exhaustion loop by sending a crafted | extension count value. A malicious server can set nr_extensions to | 0xFFFFFFFF during key exchange, causing the client to spin in a | tight CPU loop for over 60 seconds because return values from | _libssh2_get_string() are unchecked and the session timeout does not | apply to CPU-bound loops. CVE-2026-55200[2]: | libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of- | bounds write vulnerability in ssh2_transport_read() that fails to | enforce upper bounds on packet_length field. Remote attackers can | send crafted SSH packets with excessively large packet_length values | to corrupt heap memory and achieve remote code execution. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-15661 https://www.cve.org/CVERecord?id=CVE-2025-15661 [1] https://security-tracker.debian.org/tracker/CVE-2026-55199 https://www.cve.org/CVERecord?id=CVE-2026-55199 [2] https://security-tracker.debian.org/tracker/CVE-2026-55200 https://www.cve.org/CVERecord?id=CVE-2026-55200 Regards, Salvatore
