OpenSSH ssh_get_hexa Zero-Length Leak Self-DoS via GSSAPI
CVE-2026-0966 Published on March 26, 2026
Libssh: buffer underflow in ssh_get_hexa() on invalid input
The API function `ssh_get_hexa()` is vulnerable, when 0-lenght
input is provided to this function. This function is used internally
in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),
which is vulnerable to the same input (length is provided by the
calling application).
The function is also used internally in the gssapi code for logging
the OIDs received by the server during GSSAPI authentication. This
could be triggered remotely, when the server allows GSSAPI authentication
and logging verbosity is set at least to SSH_LOG_PACKET (3). This
could cause self-DoS of the per-connection daemon process.
Timeline
Reported to Red Hat.
Made public. 15 days later.
Weakness Type
What is a buffer underrun Vulnerability?
The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.
CVE-2026-0966 has been classified to as a buffer underrun vulnerability or weakness.
Products Associated with CVE-2026-0966
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-0966 are published in these products:
