INFSA-2025:21977: libssh security update

Information about definition

Identificator: INFSA-2025:21977

Type: security

Release date: 2025-12-07 22:00:47 UTC

Information about package

libssh is a library which implements the SSH protocol. It can be used to implement client and server applications.

Vulnerabilities description

  • CVE-2025-5372

    A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

Severity level

CVE Score CVSS 2.0 Score CVSS 3.x Score CVSS 4.0
NIST — CVE-2025-5372
 no information 5.0 no information
Critical, important, moderate, low

Updated packages

loader icon Preparing to download...
Architecture: Download