Fluid Attacks Database

Description

A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libssh	=0.9.5-1 \|\| =0.9.5-1+deb11u1 \|\| =0.9.6-1 \|\| =0.9.6-2 \|\| =0.9.7-0+deb11u1 \|\| =0.9.8-0+deb11u1 \|\| >=0 <0.9.8-0+deb11u2	0.9.8-0+deb11u2
debian 12	libssh	=0.10.5-2 \|\| =0.10.5-3 \|\| =0.10.5-3+hurd.1 \|\| =0.10.6-0+deb12u1 \|\| >=0 <0.10.6-0+deb12u2	0.10.6-0+deb12u2
debian 13	libssh	=0.11.2-1 \|\| >=0 <0.11.2-1+deb13u1	0.11.2-1+deb13u1
debian 14	libssh	=0.11.2-1 \|\| >=0 <0.11.3-1	0.11.3-1
rpm rhel10	libssh	-	-
rpm rhel8	libssh	-	-
rpm rhel9	libssh	<0:0.10.4-18.el9	0:0.10.4-18.el9

Aliases

1. CVE-2025-81142. NVD-2025-81143. OSV-DEBIAN-2025-81144. OSV-2025-81145. SECURITY-TRACKER-CVE-2025-8114

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.