CVE-2026-0967
Regular Expression DoS in libssh match_pattern() Function
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| libssh | libssh | to 0.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libssh causes a denial of service (DoS) through resource exhaustion during pattern matching, but it does not directly impact confidentiality, integrity, or availability of sensitive data.
Since the issue results in a DoS condition without data breach or unauthorized access, it has limited direct implications for compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal and health information.
However, organizations relying on libssh for secure communications should consider the potential availability impact and ensure mitigation to maintain service continuity, which can be relevant for compliance with availability requirements in some regulations.
Can you explain this vulnerability to me?
CVE-2026-0967 is a denial of service vulnerability found in libssh. It occurs because the `match_pattern()` function, which processes hostnames in client configuration or known_hosts files, can be tricked into inefficient regular expression backtracking.
A remote attacker who controls these configuration files can craft specific hostnames that cause the function to consume excessive CPU and memory resources, leading to timeouts and resource exhaustion.
This results in a denial of service (DoS) condition for the client using libssh.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service on systems using libssh.
- An attacker controlling client configuration or known_hosts files can trigger excessive CPU and memory usage.
- This resource exhaustion can lead to timeouts and unavailability of the libssh client.
- The impact is limited to availability, with no confidentiality or integrity loss.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when libssh processes crafted hostnames in client configuration or known_hosts files, causing excessive CPU and memory usage due to inefficient regular expression backtracking.
To detect this vulnerability on your system, monitor libssh client processes for unusually high CPU or memory consumption during SSH connections, especially when connecting to hosts with potentially manipulated configuration or known_hosts files.
While no specific detection commands are provided, you can use general system monitoring tools such as:
- top or htop to observe CPU and memory usage of libssh processes
- ps aux | grep libssh to identify running libssh client processes
- strace or ltrace on libssh processes to trace system calls and signals during SSH connections
- Review client configuration files and known_hosts files for suspicious or unusually complex hostnames that could trigger the vulnerability
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update libssh to a version where the pattern matching logic has been fixed to prevent inefficient regular expression backtracking.
Additionally, restrict or validate client configuration files and known_hosts files to prevent attackers from injecting crafted hostnames that could trigger the denial of service.
Monitoring resource usage of libssh client processes and limiting access to configuration files can also help reduce the risk until the patch is applied.