CVE-2026-0966

High

Published: 26 March 2026

Published

26 March 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0005 16.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0966 is a high-severity Buffer Underflow (CWE-124) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly and comprehensively addresses CVE-2026-0966 by requiring timely patching of the buffer underwrite vulnerability in libssh via updated releases such as 0.12.0 or 0.11.4.

CM-6 Configuration Settings partial match

prevent

Mitigates exploitation by enforcing secure configuration settings, such as disabling GSSAPI authentication or reducing logging verbosity below SSH_LOG_PACKET to avoid triggering the vulnerable ssh_get_hexa() function.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Detects deployments of vulnerable libssh versions affected by CVE-2026-0966 through regular vulnerability scanning, enabling proactive remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Buffer underwrite in libssh enables remote unauthenticated exploitation of GSSAPI auth path to crash the server process (application/system exploitation for DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function…

is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.

Deeper analysisAI

CVE-2026-0966 is a vulnerability in the libssh library's API function `ssh_get_hexa()`, which suffers from a buffer underwrite (CWE-124) when provided with zero-length input. This issue affects internal usages of the function in `ssh_get_fingerprint_hash()` and the deprecated `ssh_print_hexa()`, both of which are vulnerable to the same input condition where length is supplied by the calling application. Additionally, `ssh_get_hexa()` is invoked in the GSSAPI code for logging Object Identifiers (OIDs) received from the server during GSSAPI authentication. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A remote, unauthenticated attacker can exploit this vulnerability by triggering GSSAPI authentication on a vulnerable libssh server that has logging verbosity set to at least SSH_LOG_PACKET (level 3). This leads to a self-denial-of-service condition, crashing the per-connection daemon process due to the buffer underwrite. Exploitation requires no privileges or user interaction, with low attack complexity over the network, resulting in high availability impact from process termination and low integrity impact.

Mitigation is available through updated libssh releases, including versions 0.12.0 and 0.11.4, as detailed in the libssh security advisory. Red Hat has addressed the issue in errata RHSA-2026:7067, with further details on their CVE page and Bugzilla entry (ID 2433121). Security practitioners should upgrade affected libssh instances and review GSSAPI authentication configurations and logging levels to prevent exposure.

Details

CWE(s): CWE-124

Affected Products

libssh

≤ 0.11.4

redhat

hardened images

all versions

redhat

openshift container platform

4.0

redhat

enterprise linux

10.0, 8.0, 9.0

CVEs Like This One

CVE-2026-2100Same product: Redhat Enterprise Linux

CVE-2025-32990Same product: Redhat Enterprise Linux

CVE-2026-3731Same product: Libssh Libssh

CVE-2026-3260Same product: Redhat Enterprise Linux

CVE-2026-1584Same product: Redhat Hardened Images

CVE-2026-4271Same product: Redhat Enterprise Linux

CVE-2026-2436Same product: Redhat Enterprise Linux

CVE-2026-35091Same product: Redhat Enterprise Linux

CVE-2026-35092Same product: Redhat Enterprise Linux

CVE-2026-3442Same product: Redhat Enterprise Linux

References

https://access.redhat.com/errata/RHSA-2026:7067
Vendor Advisory · secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2026-0966
Mitigation, Vendor Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2433121
Issue Tracking, Vendor Advisory · secalert@redhat.com
https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/
Release Notes · secalert@redhat.com