PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0966 Redhat CVE debrief

CVE-2026-0966 is a network-reachable denial-of-service issue in libssh. According to the CVE record and NVD data, the flaw was published on 2026-03-26 and later modified on 2026-05-11. The issue affects ssh_get_hexa() when it processes zero-length input, and exploitation is tied to GSSAPI authentication with server logging verbosity set to SSH_LOG_PACKET (3) or higher. The practical result is a self-denial-of-service of the per-connection daemon process, not a confirmed full system compromise. NVD lists the issue as HIGH severity with CVSS 8.2.

Vendor
Redhat
Product
CVE-2026-0966
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-26
Original CVE updated
2026-05-11
Advisory published
2026-03-26
Advisory updated
2026-05-11

Who should care

Administrators and vendors running libssh-based SSH services should review this immediately, especially if GSSAPI authentication is enabled and verbose packet logging is used. Red Hat customers should also check the linked Red Hat advisory and affected product references, including RHEL, OpenShift Container Platform, and hardened image deployments listed by NVD.

Technical summary

The vulnerability is a denial-of-service condition in libssh's ssh_get_hexa() API when zero-length input is handled. The attack path described in the CVE record requires remote interaction during GSSAPI authentication and a logging level of SSH_LOG_PACKET (3) or higher. NVD maps the weakness to CWE-124 and lists libssh versions earlier than 0.11.4 as vulnerable. The impact described is a crash or failure of the per-connection daemon process, which can interrupt individual SSH sessions.

Defensive priority

High. The issue is remotely reachable, requires no privileges or user interaction, and can disrupt active SSH connections. While the impact is limited to the per-connection daemon process, the attack surface is common in SSH deployments and the CVSS score is 8.2.

Recommended defensive actions

  • Upgrade libssh to 0.11.4 or later, using the vendor-fixed package stream for your platform.
  • If you cannot patch immediately, reduce SSH logging verbosity below SSH_LOG_PACKET (3) where operationally feasible.
  • Review whether GSSAPI authentication is enabled on exposed SSH services and limit exposure to trusted networks where possible.
  • Check vendor guidance for affected Red Hat products and apply the referenced RHSA-2026:7067 remediation.
  • Validate that your deployed libssh packages or container images are not using versions older than 0.11.4.
  • Monitor SSH daemon logs and connection stability for signs of repeated per-connection process failures until remediation is complete.

Evidence notes

The CVE description supplied in the source corpus states the flaw is in libssh's ssh_get_hexa() and is exploitable remotely during GSSAPI authentication when logging verbosity is SSH_LOG_PACKET (3) or higher. NVD metadata marks the issue as Modified on 2026-05-11 and lists libssh versions before 0.11.4 as vulnerable. The Red Hat advisory, security page, issue tracker entry, and libssh release notes are the supplied supporting references. The impact described is self-denial-of-service of the per-connection daemon process. No exploit code or reproduction steps are included here.

Official resources

Publicly disclosed in the CVE record on 2026-03-26 and updated in NVD on 2026-05-11. This debrief is based only on the supplied official record and vendor references.