CVE-2026-3731

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-3731
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3731.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3731
Downstream
Related
Published
2026-03-08T11:15:50.307Z
Modified
2026-04-24T08:29:20.952383076Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftpextensionsgetname/sftpextensionsgetdata of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.

References

Affected packages

Git / gitlab.com/libssh/libssh-mirror

Affected ranges

Type
GIT
Repo
https://gitlab.com/libssh/libssh-mirror
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
301d0e16dfa8a5cac1cff956b6880ca90eb82864
Fixed
855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.11.3"
        }
    ]
}

Affected versions

libssh-0.*
libssh-0.11.0
libssh-0.11.1
libssh-0.11.2
libssh-0.11.3
libssh-0.8.0
Other
release-0-3-0

Database specific

vanir_signatures 
[
    {
        "digest": {
            "function_hash": "24448468969138265884785329107942446000",
            "length": 341.0
        },
        "id": "CVE-2026-3731-254bef34",
        "signature_type": "Function",
        "source": "https://gitlab.com/libssh/libssh-mirror@855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60",
        "deprecated": false,
        "target": {
            "function": "sftp_extensions_get_data",
            "file": "src/sftp.c"
        },
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "202487601221476550103335908013974753101",
            "length": 341.0
        },
        "id": "CVE-2026-3731-6aeb4341",
        "signature_type": "Function",
        "source": "https://gitlab.com/libssh/libssh-mirror@855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60",
        "deprecated": false,
        "target": {
            "function": "sftp_extensions_get_name",
            "file": "src/sftp.c"
        },
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "45869386280972937582204502160812282977",
                "75140046862169441082434852326701470484",
                "151682577421623218729386355289173953547",
                "295959248680867526462238789964720241899",
                "45869386280972937582204502160812282977",
                "75140046862169441082434852326701470484",
                "151682577421623218729386355289173953547",
                "295959248680867526462238789964720241899"
            ]
        },
        "id": "CVE-2026-3731-844a70da",
        "source": "https://gitlab.com/libssh/libssh-mirror@855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "src/sftp.c"
        },
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3731.json"
vanir_signatures_modified 
"2026-04-15T14:02:25Z"