References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OR
          *cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
          *cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* versions up to (including) 0.11.3

Red Hat, Inc.: https://access.redhat.com/security/cve/CVE-2026-0968 Types: Third Party Advisory

Red Hat, Inc.: https://bugzilla.redhat.com/show_bug.cgi?id=2436982 Types: Third Party Advisory

Red Hat, Inc.: https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/ Types: Release Notes

https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-476

https://access.redhat.com/security/cve/CVE-2026-0968

https://bugzilla.redhat.com/show_bug.cgi?id=2436982