Bug 2369131 (CVE-2025-5318)

Summary: CVE-2025-5318 libssh: out-of-bounds read in sftp_handle()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, kshier, omaciel, security-response-team, stcannon, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2374586, 2374587    
Bug Blocks:    
Deadline: 2025-06-24   

Description OSIDB Bzimport 2025-05-29 07:05:51 UTC 
Out-of-Bounds Read vulnerability in the SFTP server implementation of libssh, specifically within the sftp_handle() function. The flaw is due to an incorrect boundary check that permits the function to access memory beyond the valid handle list. This leads to the return of an invalid pointer, which is subsequently used in further processing. Although the issue requires authenticated access to the server, it can be exploited by a remote attacker with valid credentials to potentially read unintended memory regions, which could expose sensitive information or affect service behavior.