CVE-2026-3731
Out-of-Bounds Read in libssh SFTP Extension Allows Remote Attack
Publication date: 2026-03-08
Last updated on: 2026-03-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libssh | libssh | to 0.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3731 is an out-of-bounds read vulnerability in libssh versions prior to 0.11.4 and 0.12.0. It affects the functions sftp_extensions_get_name() and sftp_extensions_get_data() in the SFTP Extension Name Handler component. These functions perform incorrect bounds checking when accessing SFTP extension names or data by an index that can be equal to the number of extensions, causing them to read beyond the allocated buffer.
While libssh internally uses these functions safely, end-user applications that call these functions to query specific SFTP extensions may trigger this vulnerability. This can lead to application crashes or cause the application to use uninitialized or unexpected data.
The vulnerability can be exploited remotely without authentication, but exploitation by a malicious server is not feasible. The issue is fixed by upgrading libssh to versions 0.11.4 or 0.12.0.
How can this vulnerability impact me? :
This vulnerability can impact the availability of applications using libssh by causing application crashes due to out-of-bounds reads when querying SFTP extensions.
Additionally, it may cause applications to process or make decisions based on uninitialized or unexpected data, potentially leading to unpredictable behavior.
Since the vulnerability can be exploited remotely without authentication, it poses a moderate risk to systems running vulnerable versions of libssh.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability arises from an out-of-bounds read in libssh's SFTP extension handling functions when an invalid index is accessed. Detection involves identifying if your system is running a vulnerable libssh version (prior to 0.11.4 and 0.12.0) and if any applications are calling these vulnerable functions with out-of-range indices."}, {'type': 'paragraph', 'content': 'Since the vulnerability is a programming error triggered by specific function calls, direct network detection commands or signatures are not provided in the available resources.'}, {'type': 'paragraph', 'content': 'To detect vulnerable versions, you can check the installed libssh version on your system using commands like:'}, {'type': 'list_item', 'content': 'libssh version check: `ssh -V` or `dpkg -l | grep libssh` (on Debian-based systems) or `rpm -qa | grep libssh` (on RPM-based systems)'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for crashes or unexpected behavior related to SFTP extension queries may help identify exploitation attempts or triggering of the vulnerability.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade libssh to a fixed version, specifically version 0.11.4 or 0.12.0, where the vulnerability has been patched.
If upgrading immediately is not possible, ensure that applications using libssh do not call the vulnerable functions `sftp_extensions_get_name()` and `sftp_extensions_get_data()` with indices equal to or greater than the number of available extensions, effectively avoiding out-of-bounds access.
Administrators should also monitor for unusual application crashes or behavior related to SFTP extensions and apply patches or updates from the official libssh sources promptly.