PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-4877 Red Hat CVE debrief

A vulnerability in the libssh library affects 32-bit builds where an integer overflow in the bin_to_base64() function—triggered via ssh_get_fingerprint_hash() with an unexpectedly large input buffer—can lead to heap corruption through out-of-bounds write. The issue stems from memory under-allocation due to the overflow. This vulnerability is confined to 32-bit architectures and does not affect 64-bit builds. The CVSS 3.1 score of 4.5 (Medium) reflects local attack vector, high attack complexity, and low privileges required. Red Hat has assigned this CVE and published an erratum, while the upstream libssh project has committed a fix to the stable-0.11 branch.

Vendor
Red Hat
Product
Red Hat Enterprise Linux 9
CVSS
MEDIUM 4.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-20
Original CVE updated
2026-05-19
Advisory published
2025-08-20
Advisory updated
2026-05-19

Who should care

Organizations running 32-bit libssh builds in production environments, particularly those exposing SSH fingerprinting functionality to untrusted input or operating in multi-tenant contexts where local privilege boundaries exist.

Technical summary

The vulnerability exists in libssh's bin_to_base64() function when processing large input buffers passed through ssh_get_fingerprint_hash(). On 32-bit builds, an integer overflow during size calculation causes insufficient memory allocation, resulting in heap corruption via out-of-bounds write. The attack requires local access with low privileges but is mitigated by high attack complexity. The fix involves proper bounds checking and size validation in the base64 encoding routine.

Defensive priority

medium

Recommended defensive actions

  • Upgrade to patched libssh version from stable-0.11 branch or vendor-provided security update
  • Verify build architecture and prioritize patching for 32-bit libssh deployments
  • Monitor vendor security advisories for distribution-specific patch availability
  • Review application code for direct calls to ssh_get_fingerprint_hash() with untrusted input buffers
  • Apply principle of least privilege to limit exposure of libssh-consuming services

Evidence notes

CVE published 2025-08-20; modified 2026-05-19. CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L. CWE-787 (Out-of-bounds Write) identified. Affects only 32-bit libssh builds. Upstream fix committed to stable-0.11 branch. Red Hat erratum RHSA-2026:18683 published.

Official resources

2025-08-20