PT-2025-46072 · Julia · Libssh Jll
Published
2025-10-19
·
Updated
2025-10-19
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Libssh Jll