CVE Catalog

CVE-2025-4878

LowCVSS 3.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A vulnerability was found in libssh involving an uninitialized variable in the privatekey_from_file() function. It is triggered when the specified file does not exist, potentially leading to signing failures or heap corruption.

Risk Assessment

The risk includes potential heap corruption and unpredictable signing behavior, which could cause service crashes or compromise data integrity.

Recommendation

It is recommended to update libssh to the latest patched version and ensure that applications using libssh are properly protected against this vulnerability.

Original NVD description (English source)

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS