CVE-2026-0968 Redhat CVE debrief

Who should care

Security and platform teams that deploy applications using libssh for SFTP access, especially where clients connect to untrusted or third-party SFTP servers. Downstream package maintainers and Red Hat users should also review the referenced advisories and package updates.

Technical summary

The issue is a missing null check in libssh while processing SFTP directory listings. When a malicious server returns a malformed SSH_FXP_NAME response, the "longname" field can lead to reading beyond allocated heap memory. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L, and the supplied weakness mapping is CWE-476.

Defensive priority

Moderate for exposed SFTP client workflows, despite the low CVSS score. The vulnerability requires a malicious server and user-driven file listing interaction, but affected clients may still crash. Prioritize if your environment connects to untrusted SFTP endpoints or ships libssh in widely used tooling.

Recommended defensive actions

• Inventory systems and applications using libssh, especially versions at or below 0.11.3.
• Apply vendor updates that include the libssh 0.11.4 security release or later.
• Review Red Hat advisories RHSA-2026:18160 and RHSA-2026:18683 for downstream package fixes.
• Validate whether SFTP file listing against untrusted servers is part of your operational workflow and add compensating controls where possible.
• Monitor for application crashes or abnormal behavior in SFTP-enabled clients until patched.

Evidence notes

Evidence comes from the supplied NVD record and Red Hat-linked references. The NVD data identifies libssh versions through 0.11.3 as vulnerable and assigns CVSS 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L with CWE-476. The references include Red Hat advisories, a Red Hat CVE page, a Bugzilla entry, and libssh security release notes for 0.12.0 and 0.11.4.

Official resources