CVE-2026-3731
Received Received - Intake
Out-of-Bounds Read in libssh SFTP Extension Allows Remote Attack

Publication date: 2026-03-08

Last updated on: 2026-03-12

Assigner: VulDB

Description
A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3731
EUVD
EUVD-2026-10234
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libssh libssh to 0.11.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3731 is an out-of-bounds read vulnerability in libssh versions prior to 0.11.4 and 0.12.0. It affects the functions sftp_extensions_get_name() and sftp_extensions_get_data() in the SFTP Extension Name Handler component. These functions perform incorrect bounds checking when accessing SFTP extension names or data by an index that can be equal to the number of extensions, causing them to read beyond the allocated buffer.

While libssh internally uses these functions safely, end-user applications that call these functions to query specific SFTP extensions may trigger this vulnerability. This can lead to application crashes or cause the application to use uninitialized or unexpected data.

The vulnerability can be exploited remotely without authentication, but exploitation by a malicious server is not feasible. The issue is fixed by upgrading libssh to versions 0.11.4 or 0.12.0.

Impact Analysis

This vulnerability can impact the availability of applications using libssh by causing application crashes due to out-of-bounds reads when querying SFTP extensions.

Additionally, it may cause applications to process or make decisions based on uninitialized or unexpected data, potentially leading to unpredictable behavior.

Since the vulnerability can be exploited remotely without authentication, it poses a moderate risk to systems running vulnerable versions of libssh.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability arises from an out-of-bounds read in libssh's SFTP extension handling functions when an invalid index is accessed. Detection involves identifying if your system is running a vulnerable libssh version (prior to 0.11.4 and 0.12.0) and if any applications are calling these vulnerable functions with out-of-range indices."}, {'type': 'paragraph', 'content': 'Since the vulnerability is a programming error triggered by specific function calls, direct network detection commands or signatures are not provided in the available resources.'}, {'type': 'paragraph', 'content': 'To detect vulnerable versions, you can check the installed libssh version on your system using commands like:'}, {'type': 'list_item', 'content': 'libssh version check: `ssh -V` or `dpkg -l | grep libssh` (on Debian-based systems) or `rpm -qa | grep libssh` (on RPM-based systems)'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for crashes or unexpected behavior related to SFTP extension queries may help identify exploitation attempts or triggering of the vulnerability.'}] [1, 2, 3]

Mitigation Strategies

The primary and recommended mitigation is to upgrade libssh to a fixed version, specifically version 0.11.4 or 0.12.0, where the vulnerability has been patched.

If upgrading immediately is not possible, ensure that applications using libssh do not call the vulnerable functions `sftp_extensions_get_name()` and `sftp_extensions_get_data()` with indices equal to or greater than the number of available extensions, effectively avoiding out-of-bounds access.

Administrators should also monitor for unusual application crashes or behavior related to SFTP extensions and apply patches or updates from the official libssh sources promptly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3731. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart