Libssh DoS via regex backtracking in match_pattern with crafted hostnames
CVE-2026-0967 Published on March 26, 2026

Libssh: libssh: denial of service via inefficient regular expression processing
A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

NVD

Timeline

Reported to Red Hat.

Made public. 6 days later.

Weakness Type

What is a ReDoS Vulnerability?

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:

CVE-2026-0967 has been classified to as a ReDoS vulnerability or weakness.


Products Associated with CVE-2026-0967

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-0967 are published in these products:

Canonical Ubuntu Linux
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Openshift
 

Affected Versions

Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat OpenShift Container Platform 4: