Out-of-Bounds Heap Read Issue in libssh2 Affects SFTP Functionality
CVE-2025-15661

8.3HIGH

Key Information:

Vendor: Libssh2
Status: Libssh2
Vendor: CVE Published:; 18 June 2026

What is CVE-2025-15661?

An out-of-bounds heap read vulnerability was detected in libssh2 within the sftp_symlink() function of src/sftp.c. This flaw can be exploited by a malicious SSH server or a man-in-the-middle attacker to disclose sensitive heap memory contents or potentially cause application crashes. By providing a larger link_len than the actual packet data in SSH_FXP_NAME responses during SFTP READLINK and REALPATH operations, an attacker can trigger an unsafe heap buffer over-read. This occurs due to inadequate validation of the packet buffer size before executing the memcpy operation, making systems running affected libssh2 versions vulnerable to such attacks.

Affected Version(s)

libssh2 0 <= 1.11.1

libssh2 2dae3024897e1898d389835151f4e9606227721d

References

https://github.com/libssh2/libssh2/pull/1705

technical-description

https://github.com/libssh2/libssh2/pull/1717

issue-tracking

https://github.com/libssh2/libssh2/commit/2dae3024897e189...

patch

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

Joshua Rogers

Tristan Madani (@TristanInSec)

CVE-2025-15661 Data

JSON

Libssh2

What is CVE-2025-15661?

Affected Version(s)

References

CVSS V4

Timeline

Credit