References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

OR
          *cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*

Red Hat, Inc.: https://access.redhat.com/security/cve/CVE-2025-5987 Types: Third Party Advisory

Red Hat, Inc.: https://bugzilla.redhat.com/show_bug.cgi?id=2376219 Types: Issue Tracking, Third Party Advisory

A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-393

https://access.redhat.com/security/cve/CVE-2025-5987

https://bugzilla.redhat.com/show_bug.cgi?id=2376219