CVE-2026-0964 Overview
A path traversal vulnerability exists in libssh's SCP client implementation that allows a malicious SCP server to send unexpected paths, potentially causing the client application to override local files outside of the intended working directory. This vulnerability could be exploited to create malicious executable or configuration files on the client system, which users may inadvertently execute under specific circumstances.
This vulnerability is functionally equivalent to CVE-2019-6111 that affected OpenSSH, representing the same class of SCP protocol abuse in the libssh implementation.
Critical Impact
A malicious SCP server can overwrite arbitrary files on the client system, potentially leading to code execution if executable or configuration files are targeted.
Affected Products
- libssh versions prior to 0.12.0
- libssh versions prior to 0.11.4
- Applications utilizing vulnerable libssh SCP client functionality
Discovery Timeline
- 2026-02-10 - libssh releases security patches (0.12.0 and 0.11.4)
- 2026-03-26 - CVE CVE-2026-0964 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-0964
Vulnerability Analysis
This vulnerability falls under CWE-22 (Path Traversal), where the SCP client fails to properly validate file paths received from a remote SCP server. The SCP protocol inherently trusts the server to provide legitimate file paths during file transfer operations. However, a malicious server can exploit this trust by sending path components that include directory traversal sequences or absolute paths.
The attack requires user interaction—specifically, a user must initiate an SCP connection to a malicious server. The network-based attack vector combined with the requirement for user interaction and high attack complexity results in a medium severity classification.
When successful, an attacker could achieve limited impacts on confidentiality, integrity, and availability by placing or overwriting files in unexpected locations on the client filesystem.
Root Cause
The root cause lies in insufficient validation of server-supplied file paths during SCP file transfer operations. The SCP client implementation does not adequately sanitize path information received from the server before writing files to the local filesystem. This allows an attacker controlling a malicious SCP server to specify paths containing ../ sequences or absolute paths that escape the intended download directory.
Attack Vector
The attack requires a victim to connect to a malicious SCP server controlled by the attacker. When the client initiates a file transfer, the server can respond with crafted file paths that cause files to be written outside the expected destination directory. The attacker could overwrite:
- Configuration files (e.g., .bashrc, .ssh/authorized_keys)
- Executable scripts in PATH directories
- Application configuration files that could alter program behavior
The exploitation scenario depends on the permissions of the user running the SCP client and the specific files that can be overwritten.
Detection Methods for CVE-2026-0964
Indicators of Compromise
- Unexpected file modifications in user home directories, particularly configuration files like .bashrc, .profile, or .ssh/authorized_keys
- New or modified executable files appearing in user-writable directories within the PATH
- SCP transfer logs showing unusual destination paths or path traversal sequences
- Modification timestamps on critical configuration files that don't correspond to legitimate user activity
Detection Strategies
- Monitor filesystem activity during SCP transfers for writes outside expected directories
- Implement file integrity monitoring (FIM) on critical system and user configuration files
- Review SCP client logs for connections to untrusted or unknown servers
- Deploy endpoint detection that can identify path traversal patterns in file operations
Monitoring Recommendations
- Enable detailed logging for SCP client operations where possible
- Implement baseline monitoring for critical user and system configuration files
- Configure alerts for unauthorized modifications to executable files and scripts
- Monitor network connections for SCP traffic to unusual or suspicious destinations
How to Mitigate CVE-2026-0964
Immediate Actions Required
- Update libssh to version 0.12.0 or 0.11.4 or later immediately
- Audit systems for any signs of compromise, particularly checking for unexpected file modifications
- Review recent SCP transfer activity to identify connections to untrusted servers
- Consider using SFTP instead of SCP where possible, as SFTP provides better path handling
Patch Information
The libssh project has released security updates to address this vulnerability. Users should upgrade to:
- libssh 0.12.0 (for the 0.12.x branch)
- libssh 0.11.4 (for the 0.11.x branch)
For additional details, refer to the libssh Security Release Announcement. Red Hat users can consult the Red Hat CVE-2026-0964 Advisory and Red Hat Bugzilla #2436979 for distribution-specific guidance.
Workarounds
- Avoid using SCP to transfer files from untrusted or unknown servers
- Use SFTP as an alternative protocol when connecting to remote systems
- Implement strict directory permissions to limit the impact of potential file overwrites
- Consider using chroot or containerization to isolate SCP operations from critical system files
# Verify installed libssh version
rpm -q libssh || dpkg -l libssh* 2>/dev/null
# Update libssh on RHEL/CentOS systems
sudo dnf update libssh
# Update libssh on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade libssh-4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
