CVE-2025-15661

libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c

Assigner: VulnCheck
Reserved: 18.06.2026 Published: 18.06.2026 Updated: 18.06.2026

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	libssh2
Product	libssh2
Versions	Default: affected affected from 0 to 1.11.1 (incl.) Version 2dae3024897e1898d389835151f4e9606227721d is unaffected

Vendor

libssh2

Product

libssh2

Versions

Default: affected

affected from 0 to 1.11.1 (incl.)
Version 2dae3024897e1898d389835151f4e9606227721d is unaffected

Credits

Joshua Rogers finder
Tristan Madani (@TristanInSec) reporter

References

Problem Types