{"id":"RLSA-2026:18160","summary":"Moderate: libssh security update","details":"libssh is a library which implements the SSH protocol. It can be used to implement client and server applications.\n\nSecurity Fix(es):\n\n* libssh: Buffer underflow in ssh_get_hexa() on invalid input (CVE-2026-0966)\n\n* libssh: Improper sanitation of paths received from SCP servers (CVE-2026-0964)\n\n* libssh: libssh: Denial of Service via improper configuration file handling (CVE-2026-0965)\n\n* libssh: libssh: Denial of Service via inefficient regular expression processing (CVE-2026-0967)\n\n* libssh: libssh: Denial of Service due to malformed SFTP message (CVE-2026-0968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 10 Release Notes linked from the References section.","modified":"2026-05-29T16:30:04.552334599Z","published":"2026-05-29T16:03:24.060458Z","upstream":["CVE-2026-0964","CVE-2026-0965","CVE-2026-0966","CVE-2026-0967","CVE-2026-0968"],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:18160"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433121"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436979"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436982"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436981"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436980"}],"affected":[{"package":{"name":"libssh","ecosystem":"Rocky Linux:10","purl":"pkg:rpm/rocky-linux/libssh?distro=rocky-linux-10&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:0.12.0-2.el10"}],"database_specific":{"yum_repository":"BaseOS"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2026:18160.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]}