8.8
CVE-2025-5372
- EPSS 0.41%
- Veröffentlicht 04.07.2025 06:01:27
- Zuletzt bearbeitet 15.06.2026 03:16:22
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Libssh: incorrect return code handling in ssh_kdf() in libssh
A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Openshift Container Platform Version4.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
Redhat ≫ Enterprise Linux Version10.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.323 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| secalert@redhat.com | 5 | 1.6 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
|
CWE-682 Incorrect Calculation
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://access.redhat.com/security/cve/CVE-2025-5372
https://bugzilla.redhat.com/show_bug.cgi?id=2369388
https://access.redhat.com/errata/RHSA-2025:21977
https://access.redhat.com/errata/RHSA-2025:23024
https://access.redhat.com/errata/RHSA-2026:20610
https://access.redhat.com/errata/RHSA-2026:24349
https://access.redhat.com/errata/RHSA-2026:25911