CVE-2025-5318
Libssh: out-of-bounds read in sftp_handle()
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
| CWE | CWE-125 |
| Published | Jun 24, 2025 |
| Last Updated | Mar 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new high vulnerabilities are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Affected Versions
Red Hat / Red Hat Enterprise Linux 10
All versions affected Red Hat / Red Hat Enterprise Linux 10
All versions affected Red Hat / Red Hat Enterprise Linux 8
All versions affected Red Hat / Red Hat Enterprise Linux 8
All versions affected Red Hat / Red Hat Enterprise Linux 8.2 Advanced Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
All versions affected Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 8.6 Telecommunications Update Service
All versions affected Red Hat / Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9
All versions affected Red Hat / Red Hat Enterprise Linux 9
All versions affected Red Hat / Red Hat Enterprise Linux 9
All versions affected Red Hat / Red Hat Enterprise Linux 9
All versions affected Red Hat / Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9.4 Extended Update Support
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.12
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.13
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.14
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.15
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.16
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.17
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.18
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.19
All versions affected Red Hat / Red Hat OpenShift Container Platform 4.20
All versions affected Red Hat / Red Hat AI Inference Server 3.2
All versions affected Red Hat / Red Hat AI Inference Server 3.2
All versions affected Red Hat / Red Hat AI Inference Server 3.2
All versions affected Red Hat / Red Hat AI Inference Server 3.2
All versions affected Red Hat / Red Hat AI Inference Server 3.2
All versions affected Red Hat / Red Hat OpenShift distributed tracing 3.7.1
All versions affected Red Hat / Red Hat OpenShift distributed tracing 3.7.1
All versions affected Red Hat / Red Hat OpenShift distributed tracing 3.7.1
All versions affected Red Hat / Red Hat OpenShift distributed tracing 3.7.1
All versions affected Red Hat / Red Hat OpenShift distributed tracing 3.7.1
All versions affected Red Hat / Red Hat OpenShift distributed tracing 3.7.1
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2025:18231 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:18275 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:18286 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19012 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19098 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19101 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19295 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19300 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19313 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19400 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19401 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19470 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19472 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19807 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:19864 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:20943 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21013 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21329 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21829 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:22275 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23078 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23079 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:23080 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0326 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1541 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3462 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-5318 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2369131 libssh.org: https://www.libssh.org/security/advisories/CVE-2025-5318.txt
Credits
Red Hat would like to thank Ronald Crane for reporting this issue.