CVE-2025-5987

EPSS 0.06%
Published 07.07.2025 14:24:12
Last modified 22.08.2025 13:11:29
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Libssh ≫ Libssh Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.185

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
secalert@redhat.com	5	1.6	3.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-393 Return of Wrong Status Code

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

https://access.redhat.com/security/cve/CVE-2025-5987

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2376219

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-5987

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-5987

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-5987

EUVD