CVE-2025-8114
Description
A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libssh crashes due to a NULL pointer dereference when an allocation failure occurs during session ID calculation in the key exchange process.
Vulnerability
Description
CVE-2025-8114 is a NULL pointer dereference vulnerability found in libssh, a library implementing the SSH protocol. The flaw occurs during the calculation of the session ID in the key exchange (KEX) process. When an allocation failure happens in cryptographic functions, the code can dereference a NULL pointer, leading to a crash of either the SSH client or server [1][3].
Exploitation
Conditions
Exploitation requires an attacker to trigger an allocation failure within the libssh library during the KEX session ID calculation. This is a local or adjacent threat that requires the attacker to influence the SSH session state. The CVSSv3 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates that a low-privileged local user with high attack complexity can cause a denial of service without any user interaction [3].
Impact
Successful exploitation results in a denial of service (DoS) condition, causing the SSH client or server to crash. The impact is limited to availability, with no impact on confidentiality or integrity [2][3].
Mitigation
A patch is available from the libssh security page, and the issue is fixed in libssh version 0.11.3. Users should upgrade to this or a later release to remediate the vulnerability. No workaround exists [3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/security/cve/CVE-2025-8114nvdThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory
- access.redhat.com/errata/RHSA-2026:18683nvd
- git.libssh.org/projects/libssh.git/commit/nvd
- git.libssh.org/projects/libssh.git/commit/nvd
- www.libssh.org/security/advisories/CVE-2025-8114.txtnvd
News mentions
0No linked articles in our index yet.