FixVibe
Research notehigh

Out-of-Bounds Read in libssh sftp_handle (CVE-2025-5318)

A vulnerability in libssh versions prior to 0.11.2 involves an incorrect comparison check in the sftp_handle function. This flaw allows an out-of-bounds read, potentially leading to information disclosure or application crashes when processing SFTP handles.

CVE-2025-5318CWE-125

Impact

An attacker interacting with a service utilizing libssh for SFTP operations can trigger an out-of-bounds (OOB) read [S1]. This memory access violation may allow the retrieval of sensitive information from the process memory or cause the application to crash, resulting in a denial-of-service (DoS) condition [S1].

Root Cause

The vulnerability is located within the sftp_handle function of the libssh library [S1]. The issue stems from an incorrect comparison check during the validation of SFTP handles [S1]. Because the check fails to properly restrict access within the bounds of the valid handle list, the function may read memory outside of the intended buffer and return an invalid pointer to the caller [S1].

Affected Versions

  • libssh versions prior to 0.11.2 [S1].

Fix

Users should update to libssh version 0.11.2 or later [S1]. These versions include corrected comparison logic to ensure handle validation remains within safe memory bounds [S1].

Detection Guidance

Security teams can identify this vulnerability by auditing project manifests and dependency lockfiles for libssh versions lower than 0.11.2 [S1]. For environments where SSH services are exposed, version fingerprinting can be used to detect vulnerable libssh strings reported by the server [S1].

Out-of-Bounds Read in libssh sftp_handle (CVE-2025-5318) β€” FixVibe research Β· FixVibe