You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
libssh security
About this tag
The libssh security tag covers vulnerabilities and fixes related to the libssh library, a widely used SSH protocol implementation. Recent discussions focus on a batch of CVEs addressed in libssh 0.12.0 and 0.11.4 releases on February 10, 2026. These include CVE-2026-0966, a buffer underflow in ssh_get_hexa() causing limited availability issues; CVE-2026-0964, a path traversal in the SCP client API allowing file write outside intended directories; CVE-2026-0967, a denial-of-service requiring specific conditions; and CVE-2026-0965, a DoS from improper configuration file handling. The content emphasizes practical impacts for defenders, such as partial outages, malicious server attacks, and context-sensitive exploitation, along with patching guidance.
Performance degradation and intermittent interruption are the key operational consequences Microsoft records for CVE-2026-0966, a libssh issue caused by a buffer underflow in ssh_get_hexa() on invalid input. The vulnerability was fixed in the libssh 0.12.0 and 0.11.4 security releases published...
Background
CVE-2026-0964 is a path traversal vulnerability in libssh’s SCP client API, specifically in ssh_scp_pull_request(). In practical terms, a malicious SCP server can feed a client an unexpected path and trick the application into writing a file somewhere other than the intended working...
A successful attack against CVE-2026-0967 is not the kind of issue that can be triggered effortlessly from across the internet with a single packet and no setup. Microsoft’s own wording makes that distinction clear: the attack requires conditions beyond the attacker’s control, meaning the...
Microsoft’s listing for CVE-2026-0965 highlights a denial-of-service condition in libssh tied to improper configuration file handling, and the upstream libssh project confirms that the issue was among the security fixes shipped in its 0.12.0 and 0.11.4 releases on February 10, 2026. The...