CVE-2023-6918

LOW

Libssh - Memory Corruption

Title source: llm

Description

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

References (9)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2504

[Mailing List, Vendor Advisory] https://access.redhat.com/security/cve/CVE-2023-6918

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2254997

[Release Notes] https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/

[Vendor Advisory] https://www.libssh.org/security/advisories/CVE-2023-6918.txt

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250214-0009/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:3233

Scores

CVSS v3 3.7

EPSS 0.0037

EPSS Percentile 58.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Classification

CWE

CWE-252

Status published

Affected Products (5)

libssh/libssh < 0.9.8

fedoraproject/fedora

fedoraproject/fedora

redhat/enterprise_linux

redhat/enterprise_linux

Timeline

Published Dec 19, 2023

Tracked Since Feb 18, 2026