CVE-2023-6918

LOW

Libssh - Memory Corruption

Title source: llm

Description

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

References (9)

[Release Notes] https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/

[Vendor Advisory] https://www.libssh.org/security/advisories/CVE-2023-6918.txt

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250214-0009/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2504

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:3233

[Mailing List, Vendor Advisory] https://access.redhat.com/security/cve/CVE-2023-6918

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2254997

Scores

CVSS v3 3.7

EPSS 0.0036

EPSS Percentile 58.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-252

Status published

Products (5)

fedoraproject/fedora 38

fedoraproject/fedora 39

libssh/libssh 0.9.0 - 0.9.8

redhat/enterprise_linux 8.0

redhat/enterprise_linux 9.0

Published Dec 19, 2023

Tracked Since Feb 18, 2026