CVE-2025-5372 MEDIUM

CVE-2025-5372: Libssh: incorrect return code handling in ssh_kdf() in libssh

Vendor Libssh
Product libssh
Weakness CWE-682
Published July 4, 2025
Last update June 15, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

Key dates

02Disclosure timeline

July 4, 2025 CVE published
June 15, 2026 Record updated