CVE-2025-5318

8.1 HIGH

📋 TL;DR

This vulnerability in libssh allows an authenticated remote attacker to trigger an out-of-bounds read in the sftp_handle function, potentially exposing sensitive memory contents or affecting service behavior. It affects libssh versions less than 0.11.2 and requires attacker authentication.

💻 Affected Systems

Products:
  • libssh
Versions: Versions less than 0.11.2
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SFTP functionality enabled and attacker authentication.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote authenticated attacker reads sensitive memory contents (passwords, keys, session data) leading to full system compromise or data exfiltration.

🟠

Likely Case

Information disclosure of limited memory regions, potentially exposing some sensitive data or causing service instability.

🟢

If Mitigated

Minimal impact with proper network segmentation, authentication controls, and monitoring in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated SFTP access and specific conditions to trigger the out-of-bounds read.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.2 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:18231

Restart Required: Yes

Instructions:

1. Update libssh to version 0.11.2 or later using your package manager. 2. Restart services using libssh. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable SFTP

linux

Disable SFTP functionality if not required

# Configure SSH server to disable SFTP subsystem
# In sshd_config: Subsystem sftp internal-sftp # Comment out or remove

Restrict SFTP Access

linux

Limit SFTP access to trusted users only

# In sshd_config: Match User trusted_user
ForceCommand internal-sftp
ChrootDirectory /var/sftp

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Enforce strong authentication and limit SFTP access to minimal required users

🔍 How to Verify

Check if Vulnerable:

Check libssh version: ssh -V 2>&1 | grep -i libssh or dpkg -l | grep libssh

Check Version:

ssh -V 2>&1 | grep -o 'libssh_[0-9.]*'

Verify Fix Applied:

Verify libssh version is 0.11.2 or later: ssh -V 2>&1 | grep 'libssh_0\.1[1-9]\|libssh_1\.'

📡 Detection & Monitoring

Log Indicators:

  • Unusual SFTP connection patterns
  • Multiple failed authentication attempts followed by SFTP access
  • System logs showing memory access errors

Network Indicators:

  • Anomalous SFTP traffic patterns
  • Unexpected data exfiltration over SFTP

SIEM Query:

source="sshd" AND "sftp" AND ("error" OR "failed" OR "invalid")

📊 Metadata

CVE ID: CVE-2025-5318
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: June 24, 2025
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5318, you might also want to check these:

CVE-2026-22855 9.1

A heap out-of-bounds read vulnerability in FreeRDP's smartcard SetAttrib path allows attackers to re...

Same vulnerability type (CWE-125)
CVE-2026-22858 9.1

This CVE describes a global buffer overflow vulnerability in FreeRDP's Base64 decoding implementatio...

Same vulnerability type (CWE-125)
CVE-2026-22859 9.1

This vulnerability in FreeRDP allows remote attackers to cause an out-of-bounds read by sending spec...

Same vulnerability type (CWE-125)