Impact
An attacker interacting with a service utilizing libssh for SFTP operations can trigger an out-of-bounds (OOB) read [S1]. This memory access violation may allow the retrieval of sensitive information from the process memory or cause the application to crash, resulting in a denial-of-service (DoS) condition [S1].
Root Cause
The vulnerability is located within the sftp_handle function of the libssh library [S1]. The issue stems from an incorrect comparison check during the validation of SFTP handles [S1]. Because the check fails to properly restrict access within the bounds of the valid handle list, the function may read memory outside of the intended buffer and return an invalid pointer to the caller [S1].
Affected Versions
- libssh versions prior to 0.11.2 [S1].
Fix
Users should update to libssh version 0.11.2 or later [S1]. These versions include corrected comparison logic to ensure handle validation remains within safe memory bounds [S1].
Detection Guidance
Security teams can identify this vulnerability by auditing project manifests and dependency lockfiles for libssh versions lower than 0.11.2 [S1]. For environments where SSH services are exposed, version fingerprinting can be used to detect vulnerable libssh strings reported by the server [S1].
