PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-4878 Red Hat CVE debrief

A vulnerability in libssh's privatekey_from_file() function leaves a variable uninitialized when the specified file does not exist. This flaw can result in signing failures or heap corruption. The issue was published on 2025-07-22 and last modified on 2026-05-19. Red Hat has assigned CVE-2025-4878 and released errata RHSA-2026:18683. The libssh project has published a security advisory and committed fixes. The CVSS 3.1 score is 3.6 (Low severity) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating local attack vector, high attack complexity, low privileges required, and low impacts to confidentiality and integrity. The weakness is classified as CWE-416 (Use After Free).

Vendor
Red Hat
Product
Red Hat Enterprise Linux 9
CVSS
LOW 3.6
CISA KEV
Not listed in stored evidence
Original CVE published
2025-07-22
Original CVE updated
2026-05-19
Advisory published
2025-07-22
Advisory updated
2026-05-19

Who should care

Organizations using libssh for SSH operations, particularly those handling private key file operations in automated or multi-user environments. System administrators maintaining libssh deployments and developers integrating libssh into applications.

Technical summary

The privatekey_from_file() function in libssh fails to properly initialize a variable when the specified filename does not exist. This can lead to undefined behavior including signing failures or heap corruption. The vulnerability requires local access and high attack complexity with low privileges. The issue is classified as CWE-416 (Use After Free). Fixes have been committed to the libssh repository and Red Hat has issued security errata.

Defensive priority

low

Recommended defensive actions

  • Apply vendor patches from libssh or Red Hat when available
  • Validate SSH private key file existence before calling libssh functions
  • Monitor application logs for signing failures that may indicate exploitation attempts
  • Review applications using libssh for proper error handling around file operations
  • Update libssh to a version containing the fixes referenced in the security advisory

Evidence notes

CVE description and NVD metadata confirm the uninitialized variable issue in privatekey_from_file(). Red Hat errata RHSA-2026:18683 and Bugzilla 2376184 provide vendor confirmation. Libssh security advisory and Git commits 697650caa97eaf7623924c75f9fcfec6dd423cd1 and b35ee876adc92a208d47194772e99f9c71e0bedb document the fix. CVSS vector and CWE-416 classification from NVD.

Official resources

2025-07-22