OpenSSH ssh_get_hexa Zero-Length Leak Self-DoS via GSSAPI
CVE-2026-0966 Published on March 26, 2026
Libssh: libssh: denial of service via zero-length input in ssh_get_hexa()
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
Timeline
Reported to Red Hat.
Made public. 15 days later.
Weakness Type
What is a buffer underrun Vulnerability?
The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.
CVE-2026-0966 has been classified to as a buffer underrun vulnerability or weakness.
Products Associated with CVE-2026-0966
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-0966 are published in these products:
Affected Versions
Red Hat Enterprise Linux 10:- Version 0:0.12.0-2.el10 and below * is unaffected.
- Version 0:0.10.4-18.el9 and below * is unaffected.
- Version 0:0.10.4-18.el9 and below * is unaffected.
- Version 0.12.0-1.1.hum1 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.