Libssh: improper sanitation of paths received from scp servers
Summary
| CVE | CVE-2026-0964 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-26 21:17:00 UTC |
| Updated | 2026-04-30 16:43:18 UTC |
| Description | A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111. |
Risk And Classification
Primary CVSS: v3.1 6.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS: 0.000150000 probability, percentile 0.031400000 (date 2026-05-05)
Problem Types: CWE-22 | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 6.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| 3.0 | [email protected] | Secondary | 5 | MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
| 3.0 | CNA | CVSS | 5 | MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS v3.0 Breakdown
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Libssh | Libssh | All | All | All | All |
| Operating System | Redhat | Enterprise Linux | 10.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 9.0 | All | All | All |
| Application | Redhat | Hardened Images | - | All | All | All |
| Application | Redhat | Openshift Container Platform | 4.0 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases | [email protected] | www.libssh.org | Release Notes |
| access.redhat.com/security/cve/CVE-2026-0964 | [email protected] | access.redhat.com | Mitigation, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank CTyun (Red-Shield Security Lab) and Jakub Jelen (libssh) for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-02-04T23:37:53.443Z | Reported to Red Hat. |
| CNA | 2026-02-10T18:44:42.346Z | Made public. |
Workarounds
CNA: Do not use SCP! SCP is deprecated for several years and will be removed in future releases! If you have to, the application MUST validate the path returned from `ssh_scp_request_get_filename()` is the path the application requested. The libssh does not do any writing in this case.