CVE-2026-0966
Null Pointer Dereference in SSH API Causes Remote DoS
Publication date: 2026-03-26
Last updated on: 2026-04-30
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 8.0 |
| redhat | openshift_container_platform | 4.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| redhat | hardened_images | * |
| libssh | libssh | to 0.11.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-124 | The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0966 is a medium-severity vulnerability in the libssh library caused by a buffer underflow in the function ssh_get_hexa() when it receives zero-length input.
This function is used internally by ssh_get_fingerprint_hash() and the deprecated ssh_print_hexa(), which also become vulnerable because they rely on input length provided by the calling application.
Additionally, ssh_get_hexa() is used in the GSSAPI code to log Object Identifiers (OIDs) received by the server during GSSAPI authentication.
The vulnerability can be triggered remotely if the SSH server allows GSSAPI authentication and the logging verbosity is set to at least SSH_LOG_PACKET (level 3).
Exploiting this flaw can cause a self-denial-of-service (DoS) condition in the per-connection daemon process handling the SSH session.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely to cause a denial-of-service (DoS) condition in the SSH server's per-connection daemon process.
Specifically, when the server allows GSSAPI authentication and logging verbosity is set to SSH_LOG_PACKET or higher, an attacker can send zero-length input to trigger the buffer underflow.
The impact is that the affected SSH session daemon process may crash or become unavailable, disrupting SSH connections and potentially causing service interruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your SSH server allows GSSAPI authentication and if the logging verbosity is set to at least SSH_LOG_PACKET (level 3). Monitoring logs for unusual self-denial-of-service (DoS) conditions in the per-connection daemon process may also indicate exploitation attempts.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not explicitly detailed in the provided resources.
However, based on the vulnerability details, you may consider disabling GSSAPI authentication or reducing SSH logging verbosity below SSH_LOG_PACKET (level 3) to prevent remote triggering of the vulnerability.