Cyber Resilience

CVE-2026-0966

High

Published: 26 March 2026

Published
26 March 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0058 43.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0966 is a high-severity Buffer Underflow (CWE-124) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-0966 is a vulnerability in the libssh library's API function `ssh_get_hexa()`, which suffers from a buffer underwrite (CWE-124) when provided with zero-length input. This issue affects internal usages of the function in `ssh_get_fingerprint_hash()` and the deprecated `ssh_print_hexa()`, both of which are vulnerable to the same input condition where length is supplied by the calling application. Additionally, `ssh_get_hexa()` is invoked in the GSSAPI code for logging Object Identifiers (OIDs) received from the server during GSSAPI authentication. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A remote, unauthenticated attacker can exploit this vulnerability by triggering GSSAPI authentication on a vulnerable libssh server that has logging verbosity set to at least SSH_LOG_PACKET (level 3). This leads to a self-denial-of-service condition, crashing the per-connection daemon process due to the buffer underwrite. Exploitation requires no privileges or user interaction, with low attack complexity over the network, resulting in high availability impact from process termination and low integrity impact.

Mitigation is available through updated libssh releases, including versions 0.12.0 and 0.11.4, as detailed in the libssh security advisory. Red Hat has addressed the issue in errata RHSA-2026:7067, with further details on their CVE page and Bugzilla entry (ID 2433121). Security practitioners should upgrade affected libssh instances and review GSSAPI authentication configurations and logging levels to prevent exposure.

EU & UK References

Vulnerability details

A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the…

more

server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer underwrite in libssh enables remote unauthenticated exploitation of GSSAPI auth path to crash the server process (application/system exploitation for DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14821Same product: Libssh Libssh
CVE-2025-32990Same product: Redhat Enterprise Linux
CVE-2026-2100Same product: Redhat Enterprise Linux
CVE-2026-3731Same product: Libssh Libssh
CVE-2026-3260Same product: Redhat Enterprise Linux
CVE-2026-4271Same product: Redhat Enterprise Linux
CVE-2026-2436Same product: Redhat Enterprise Linux
CVE-2026-1584Same product: Redhat Hardened Images
CVE-2026-42009Same product: Redhat Enterprise Linux
CVE-2026-35091Same product: Redhat Enterprise Linux

Affected Assets

libssh
libssh
≤ 0.11.4
redhat
hardened images
all versions
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the libssh patches (0.11.4/0.12.0) that eliminate the zero-length buffer underwrite in ssh_get_hexa().

prevent

Allows explicit configuration of SSH_LOG_PACKET verbosity and GSSAPI authentication settings to avoid the code path that triggers the vulnerable function.

prevent

Enforces disabling or restricting unneeded GSSAPI authentication and high-volume packet logging features that expose the flaw.

References