Home > Vulnerability Database > CVE-2025-5987

Mend.io Vulnerability Database

CVE-2025-5987

Good to know:

Date: July 7, 2025

In libssh 0.10.0 before 0.11.2 if there is an error in initializing ChaCha20 cipher with OpenSSL, an invalid error code is returned. This can happen if there is an heap exhaustion. This error is not correctly detected and could allow libssh to use partially initialized cipher context. This is caused by the mismatch of return value meaning from OpenSSL and libssh, where OpenSSL error (rv=0) aliases with SSH_OK (0) and is returned directly from the function chacha20_poly1305_set_key(). This will likely cause error somewhere down the road.

Severity Score

5.0

Related Resources (5)

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2376219

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-5987

Url: https://seclists.org/oss-sec/2025/q2/284

Url: https://access.redhat.com/security/cve/CVE-2025-5987

Url: https://www.mend.io/vulnerability-database/CVE-2025-5987

Severity Score

5.0

Weakness Type (CWE)

Heap-based Buffer Overflow

CWE-122

Return of Wrong Status Code

CWE-393

Top Fix

Upgrade Version

Upgrade to version https://git.libssh.org/projects/libssh.git - libssh-0.11.2

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-5987

Good to know:

Date: July 7, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?