SUSE-SU-2026:1565-1

CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
CVE-2026-0966: buffer underflow in sshgethexa() on invalid input (bsc#1258054).
CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
CVE-2026-3731: denial of service via out-of-bounds read in SFTP extension name handler (bsc#1259377).

References

Affected packages

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.8-150400.3.17.1

{
    "binaries": [
        {
            "libssh4": "0.9.8-150400.3.17.1",
            "libssh-config": "0.9.8-150400.3.17.1"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1565-1.json"

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.8-150400.3.17.1

{
    "binaries": [
        {
            "libssh4": "0.9.8-150400.3.17.1",
            "libssh-config": "0.9.8-150400.3.17.1"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1565-1.json"

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.8-150400.3.17.1

{
    "binaries": [
        {
            "libssh4": "0.9.8-150400.3.17.1",
            "libssh-config": "0.9.8-150400.3.17.1"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1565-1.json"