CVE-2026-0966
Published: 26 March 2026
Summary
CVE-2026-0966 is a high-severity Buffer Underflow (CWE-124) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-0966 is a vulnerability in the libssh library's API function `ssh_get_hexa()`, which suffers from a buffer underwrite (CWE-124) when provided with zero-length input. This issue affects internal usages of the function in `ssh_get_fingerprint_hash()` and the deprecated `ssh_print_hexa()`, both of which are vulnerable to the same input condition where length is supplied by the calling application. Additionally, `ssh_get_hexa()` is invoked in the GSSAPI code for logging Object Identifiers (OIDs) received from the server during GSSAPI authentication. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by triggering GSSAPI authentication on a vulnerable libssh server that has logging verbosity set to at least SSH_LOG_PACKET (level 3). This leads to a self-denial-of-service condition, crashing the per-connection daemon process due to the buffer underwrite. Exploitation requires no privileges or user interaction, with low attack complexity over the network, resulting in high availability impact from process termination and low integrity impact.
Mitigation is available through updated libssh releases, including versions 0.12.0 and 0.11.4, as detailed in the libssh security advisory. Red Hat has addressed the issue in errata RHSA-2026:7067, with further details on their CVE page and Bugzilla entry (ID 2433121). Security practitioners should upgrade affected libssh instances and review GSSAPI authentication configurations and logging levels to prevent exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16330
Vulnerability details
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the…
more
server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer underwrite in libssh enables remote unauthenticated exploitation of GSSAPI auth path to crash the server process (application/system exploitation for DoS).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the libssh patches (0.11.4/0.12.0) that eliminate the zero-length buffer underwrite in ssh_get_hexa().
Allows explicit configuration of SSH_LOG_PACKET verbosity and GSSAPI authentication settings to avoid the code path that triggers the vulnerable function.
Enforces disabling or restricting unneeded GSSAPI authentication and high-volume packet logging features that expose the flaw.