CVE-2025-5449 MEDIUM

CVE-2025-5449: Libssh: integer overflow in libssh sftp server packet length validation leading to denial of service

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-190
Published July 25, 2025
Last update January 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A flaw was found in the SFTP server message decoding logic of libssh. The issue occurs due to an incorrect packet length check that allows an integer overflow when handling large payload sizes on 32-bit systems. This issue leads to failed memory allocation and causes the server process to crash, resulting in a denial of service.

Key dates

02Disclosure timeline

July 25, 2025 CVE published
January 8, 2026 Record updated