Medium severity5.5NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026

CVE-2026-0967

Description

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the match_pattern() function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

Affected products

Libssh/Libssh
cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*
Range: <=0.11.3
Red Hat/Enterprise Linux2 versions
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2026-0967nvdThird Party Advisory
bugzilla.redhat.com/show_bug.cginvdThird Party Advisory
www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/nvdRelease Notes

News mentions

[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)
SANS Internet Storm Center · May 15, 2026

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000