CVE-2026-0966
Modified Modified - Updated After Analysis
Null Pointer Dereference in SSH API Causes Remote DoS

Publication date: 2026-03-26

Last updated on: 2026-05-19

Assigner: Red Hat, Inc.

Description
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0966
EUVD
EUVD-2026-16330
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
redhat hardened_images *
libssh libssh to 0.11.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-124 The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0966 is a medium-severity vulnerability in the libssh library caused by a buffer underflow in the function ssh_get_hexa() when it receives zero-length input.

This function is used internally by ssh_get_fingerprint_hash() and the deprecated ssh_print_hexa(), which also become vulnerable because they rely on input length provided by the calling application.

Additionally, ssh_get_hexa() is used in the GSSAPI code to log Object Identifiers (OIDs) received by the server during GSSAPI authentication.

The vulnerability can be triggered remotely if the SSH server allows GSSAPI authentication and the logging verbosity is set to at least SSH_LOG_PACKET (level 3).

Exploiting this flaw can cause a self-denial-of-service (DoS) condition in the per-connection daemon process handling the SSH session.

Impact Analysis

This vulnerability can be exploited remotely to cause a denial-of-service (DoS) condition in the SSH server's per-connection daemon process.

Specifically, when the server allows GSSAPI authentication and logging verbosity is set to SSH_LOG_PACKET or higher, an attacker can send zero-length input to trigger the buffer underflow.

The impact is that the affected SSH session daemon process may crash or become unavailable, disrupting SSH connections and potentially causing service interruptions.

Detection Guidance

This vulnerability can be detected by checking if your SSH server allows GSSAPI authentication and if the logging verbosity is set to at least SSH_LOG_PACKET (level 3). Monitoring logs for unusual self-denial-of-service (DoS) conditions in the per-connection daemon process may also indicate exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

However, based on the vulnerability details, you may consider disabling GSSAPI authentication or reducing SSH logging verbosity below SSH_LOG_PACKET (level 3) to prevent remote triggering of the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart