CVE-2025-5987: Libssh ChaCha20 Cipher DOS Vulnerability

CVE-2025-5987 Overview

A critical flaw was discovered in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.

Critical Impact
This vulnerability can compromise the confidentiality and integrity of SSH communications by causing libssh to operate with a partially initialized cipher context, potentially exposing encrypted data or leading to application crashes.

Affected Products

libssh (all versions using ChaCha20 cipher with OpenSSL)
Applications and services built on libssh
Systems running Red Hat Enterprise Linux with affected libssh packages

Discovery Timeline

July 7, 2025 - CVE-2025-5987 published to NVD
January 13, 2026 - Last updated in NVD database

Technical Details for CVE-2025-5987

Vulnerability Analysis

This vulnerability stems from an improper error handling mechanism within libssh's cryptographic initialization routines when using the ChaCha20 cipher in conjunction with OpenSSL. The core issue is a return value aliasing problem (CWE-393: Return of Wrong Status Code) where OpenSSL's error codes are incorrectly interpreted by libssh.

When heap memory allocation fails during cipher context initialization, OpenSSL returns an error code that inadvertently matches libssh's SSH_OK success indicator. This aliasing causes libssh to proceed with cryptographic operations using a cipher context that was not properly initialized, creating a dangerous condition where the encryption state is undefined.

The network-accessible nature of this vulnerability means remote attackers could potentially trigger it by causing heap exhaustion conditions on target systems. While exploitation requires creating specific memory pressure conditions (indicated by high attack complexity), successful exploitation could allow attackers to compromise the confidentiality and integrity of SSH-secured communications without requiring any authentication or user interaction.

Root Cause

The root cause is a return value aliasing issue (CWE-393) where OpenSSL error codes collide with libssh's internal status codes. Specifically, when the EVP_CIPHER_CTX_new() or related OpenSSL functions fail due to heap exhaustion, the returned error value is misinterpreted as SSH_OK by libssh's error checking logic. This allows the library to continue execution with an uninitialized or partially initialized EVP_CIPHER_CTX structure, leading to undefined cryptographic behavior.

Attack Vector

The attack vector is network-based, requiring an attacker to first create heap exhaustion conditions on the target system. This could be achieved through:

Memory pressure attacks: Sending specially crafted requests or payloads that cause excessive memory allocation on the target
Resource exhaustion: Combining this vulnerability with other flaws to gradually deplete available heap memory
Timing attacks: Exploiting race conditions during high-load scenarios when memory is already constrained

Once heap exhaustion is achieved during an SSH session establishment using ChaCha20 cipher, the uninitialized cipher context could result in:

Predictable or weak encryption output
Disclosure of sensitive data in transit
Application crashes causing denial of service
Potential memory corruption leading to further exploitation

The vulnerability affects the ChaCha20 cipher specifically when used with OpenSSL as the underlying cryptographic provider, meaning systems configured to use this cipher combination are at risk.

Detection Methods for CVE-2025-5987

Indicators of Compromise

Unexpected SSH connection failures or crashes during session establishment
Memory exhaustion events coinciding with SSH connection attempts
Abnormal cipher negotiation patterns in SSH handshake logs
Application crashes in libssh-dependent services with memory-related error messages

Detection Strategies

Monitor system memory utilization and correlate spikes with SSH connection activity
Implement logging for OpenSSL initialization failures in applications using libssh
Deploy intrusion detection rules to identify potential heap spray or memory exhaustion attacks targeting SSH services
Audit SSH cipher suite configurations to identify systems using ChaCha20 with OpenSSL-backed libssh

Monitoring Recommendations

Enable verbose logging for libssh-based applications to capture initialization errors
Configure SIEM alerts for memory exhaustion events on systems running SSH services
Monitor for unusual patterns in SSH connection rates that could indicate exploitation attempts
Track system stability metrics for services dependent on libssh

How to Mitigate CVE-2025-5987

Immediate Actions Required

Update libssh to the latest patched version available from your distribution
Apply Red Hat security updates if running affected RHEL systems (see RHSA advisories below)
Consider temporarily disabling ChaCha20 cipher in SSH configurations as a short-term mitigation
Monitor affected systems for signs of memory exhaustion attacks

Patch Information

Multiple security advisories have been released to address this vulnerability:

Additional details are available in the Red Hat CVE Analysis for CVE-2025-5987 and Red Hat Bug Report #2376219.

Workarounds

Configure SSH to use alternative ciphers (e.g., AES-GCM) instead of ChaCha20 until patches are applied
Implement memory limits and resource controls for SSH-related processes to reduce heap exhaustion risk
Deploy network-level protections to rate-limit SSH connection attempts from untrusted sources

bash

# Configuration example - Disable ChaCha20 cipher in SSH config
# Edit /etc/ssh/sshd_config or libssh configuration
# Remove chacha20-poly1305@openssh.com from cipher list

# For OpenSSH sshd_config:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Restart SSH service after configuration change
sudo systemctl restart sshd

CVE-2025-5987 Overview

Critical Impact
This vulnerability can compromise the confidentiality and integrity of SSH communications by causing libssh to operate with a partially initialized cipher context, potentially exposing encrypted data or leading to application crashes.

Affected Products

libssh (all versions using ChaCha20 cipher with OpenSSL)
Applications and services built on libssh
Systems running Red Hat Enterprise Linux with affected libssh packages

Discovery Timeline

July 7, 2025 - CVE-2025-5987 published to NVD
January 13, 2026 - Last updated in NVD database

Technical Details for CVE-2025-5987

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector is network-based, requiring an attacker to first create heap exhaustion conditions on the target system. This could be achieved through:

Memory pressure attacks: Sending specially crafted requests or payloads that cause excessive memory allocation on the target
Resource exhaustion: Combining this vulnerability with other flaws to gradually deplete available heap memory
Timing attacks: Exploiting race conditions during high-load scenarios when memory is already constrained

Once heap exhaustion is achieved during an SSH session establishment using ChaCha20 cipher, the uninitialized cipher context could result in:

Predictable or weak encryption output
Disclosure of sensitive data in transit
Application crashes causing denial of service
Potential memory corruption leading to further exploitation

The vulnerability affects the ChaCha20 cipher specifically when used with OpenSSL as the underlying cryptographic provider, meaning systems configured to use this cipher combination are at risk.

Detection Methods for CVE-2025-5987

Indicators of Compromise

Unexpected SSH connection failures or crashes during session establishment
Memory exhaustion events coinciding with SSH connection attempts
Abnormal cipher negotiation patterns in SSH handshake logs
Application crashes in libssh-dependent services with memory-related error messages

Detection Strategies

Monitor system memory utilization and correlate spikes with SSH connection activity
Implement logging for OpenSSL initialization failures in applications using libssh
Deploy intrusion detection rules to identify potential heap spray or memory exhaustion attacks targeting SSH services
Audit SSH cipher suite configurations to identify systems using ChaCha20 with OpenSSL-backed libssh

Monitoring Recommendations

Enable verbose logging for libssh-based applications to capture initialization errors
Configure SIEM alerts for memory exhaustion events on systems running SSH services
Monitor for unusual patterns in SSH connection rates that could indicate exploitation attempts
Track system stability metrics for services dependent on libssh

How to Mitigate CVE-2025-5987

Immediate Actions Required

Update libssh to the latest patched version available from your distribution
Apply Red Hat security updates if running affected RHEL systems (see RHSA advisories below)
Consider temporarily disabling ChaCha20 cipher in SSH configurations as a short-term mitigation
Monitor affected systems for signs of memory exhaustion attacks

Patch Information

Multiple security advisories have been released to address this vulnerability:

Additional details are available in the Red Hat CVE Analysis for CVE-2025-5987 and Red Hat Bug Report #2376219.

Workarounds

Configure SSH to use alternative ciphers (e.g., AES-GCM) instead of ChaCha20 until patches are applied
Implement memory limits and resource controls for SSH-related processes to reduce heap exhaustion risk
Deploy network-level protections to rate-limit SSH connection attempts from untrusted sources

bash

# Configuration example - Disable ChaCha20 cipher in SSH config
# Edit /etc/ssh/sshd_config or libssh configuration
# Remove chacha20-poly1305@openssh.com from cipher list

# For OpenSSH sshd_config:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Restart SSH service after configuration change
sudo systemctl restart sshd

CVE-2025-5987: Libssh ChaCha20 Cipher DOS Vulnerability

CVE-2025-5987 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-5987

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-5987

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-5987

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-5987: Libssh ChaCha20 Cipher DOS Vulnerability

CVE-2025-5987 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-5987

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-5987

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-5987

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform