========================================================================== Ubuntu Security Notice USN-8486-1 June 30, 2026
libssh2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS Summary: Several security issues were fixed in libssh2. Software Description: - libssh2: Client-side C library implementing the SSH2 protocol Details: It was discovered that libssh2 incorrectly handled the sftp_symlink() function. A malicious SSH server or machine-in-the-middle attacker could possibly use this issue to obtain sensitive information or cause a denial of service. (CVE-2025-15661) It was discovered that libssh2 had a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler. A malicious SSH server could possibly use this issue to cause a client CPU exhaustion loop, resulting in a denial of service. (CVE-2026-55199) It was discovered that libssh2 incorrectly handled packet length fields. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-55200) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libssh2-1t64 1.11.1-1ubuntu0.26.04.2 Ubuntu 25.10 libssh2-1t64 1.11.1-1ubuntu0.25.10.2 Ubuntu 24.04 LTS libssh2-1t64 1.11.0-4.1ubuntu0.24.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8486-1 CVE-2025-15661, CVE-2026-55199, CVE-2026-55200 Package Information: https://launchpad.net/ubuntu/+source/libssh2/1.11.1-1ubuntu0.26.04.2 https://launchpad.net/ubuntu/+source/libssh2/1.11.1-1ubuntu0.25.10.2 https://launchpad.net/ubuntu/+source/libssh2/1.11.0-4.1ubuntu0.24.04.2
signature.asc
Description: OpenPGP digital signature
