CVE-2025-5987: Return of Wrong Status Code
CVE-2025-5987 is a high-severity vulnerability in libssh when using the ChaCha20 cipher with OpenSSL. It arises from improper error handling where OpenSSL error codes alias with SSH_OK, causing libssh to overlook heap exhaustion errors. This leads to the use of a partially initialized cipher context, resulting in undefined behavior such as data confidentiality and integrity compromise or crashes. The vulnerability affects Red Hat Enterprise Linux 10 with libssh version 0. 10. 0. Exploitation requires network access but no authentication or user interaction. Although no known exploits are currently reported in the wild, the impact is significant due to potential data breaches and service disruption. European organizations relying on affected Red Hat systems should prioritize patching once available and implement monitoring for anomalous SSH behavior.
AI Analysis
Technical Summary
CVE-2025-5987 is a vulnerability discovered in libssh version 0.10.0, specifically when using the ChaCha20 cipher in conjunction with the OpenSSL library. The root cause lies in libssh's failure to correctly detect errors returned by OpenSSL during heap exhaustion scenarios. When the heap space is exhausted, OpenSSL returns an error code that aliases with SSH_OK, misleading libssh into believing the cipher context initialization succeeded. Consequently, libssh proceeds with a partially initialized cipher context, which can cause undefined behavior including compromised confidentiality and integrity of SSH communications or application crashes. The vulnerability is network exploitable without requiring authentication or user interaction, increasing its risk profile. The affected product is Red Hat Enterprise Linux 10, which bundles libssh 0.10.0. The CVSS v3.1 score is 8.1 (high), reflecting the ease of remote exploitation and the severe impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the flaw's nature suggests that attackers could potentially intercept or manipulate SSH traffic or cause denial of service conditions.
Potential Impact
For European organizations, this vulnerability poses a critical risk to secure communications over SSH, a widely used protocol for remote management and data transfer. Compromise of confidentiality and integrity could lead to unauthorized data disclosure, man-in-the-middle attacks, or injection of malicious commands. The potential for application crashes could disrupt critical services, affecting business continuity. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which heavily rely on Red Hat Enterprise Linux 10 and SSH for secure operations, are particularly at risk. The network-exploitable nature without authentication means attackers can attempt exploitation remotely, increasing exposure. Given the high CVSS score and the strategic importance of secure communications in Europe, the impact could be severe if exploited.
Mitigation Recommendations
Organizations should immediately inventory their systems to identify deployments of Red Hat Enterprise Linux 10 running libssh 0.10.0 with ChaCha20 cipher enabled. Although no patches are currently listed, monitoring Red Hat security advisories for updates or patches addressing CVE-2025-5987 is critical. In the interim, administrators should consider disabling the ChaCha20 cipher in SSH configurations to prevent triggering the vulnerable code path. Employ network-level controls such as firewall rules to restrict SSH access to trusted IPs and implement intrusion detection systems to monitor for anomalous SSH traffic patterns. Regularly audit SSH logs for unusual connection attempts or errors indicative of exploitation attempts. Additionally, ensure that system memory resources are adequately provisioned to reduce the risk of heap exhaustion conditions. Finally, prepare incident response plans to quickly address potential exploitation scenarios.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-5987: Return of Wrong Status Code
Description
CVE-2025-5987 is a high-severity vulnerability in libssh when using the ChaCha20 cipher with OpenSSL. It arises from improper error handling where OpenSSL error codes alias with SSH_OK, causing libssh to overlook heap exhaustion errors. This leads to the use of a partially initialized cipher context, resulting in undefined behavior such as data confidentiality and integrity compromise or crashes. The vulnerability affects Red Hat Enterprise Linux 10 with libssh version 0. 10. 0. Exploitation requires network access but no authentication or user interaction. Although no known exploits are currently reported in the wild, the impact is significant due to potential data breaches and service disruption. European organizations relying on affected Red Hat systems should prioritize patching once available and implement monitoring for anomalous SSH behavior.
AI-Powered Analysis
Technical Analysis
CVE-2025-5987 is a vulnerability discovered in libssh version 0.10.0, specifically when using the ChaCha20 cipher in conjunction with the OpenSSL library. The root cause lies in libssh's failure to correctly detect errors returned by OpenSSL during heap exhaustion scenarios. When the heap space is exhausted, OpenSSL returns an error code that aliases with SSH_OK, misleading libssh into believing the cipher context initialization succeeded. Consequently, libssh proceeds with a partially initialized cipher context, which can cause undefined behavior including compromised confidentiality and integrity of SSH communications or application crashes. The vulnerability is network exploitable without requiring authentication or user interaction, increasing its risk profile. The affected product is Red Hat Enterprise Linux 10, which bundles libssh 0.10.0. The CVSS v3.1 score is 8.1 (high), reflecting the ease of remote exploitation and the severe impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the flaw's nature suggests that attackers could potentially intercept or manipulate SSH traffic or cause denial of service conditions.
Potential Impact
For European organizations, this vulnerability poses a critical risk to secure communications over SSH, a widely used protocol for remote management and data transfer. Compromise of confidentiality and integrity could lead to unauthorized data disclosure, man-in-the-middle attacks, or injection of malicious commands. The potential for application crashes could disrupt critical services, affecting business continuity. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which heavily rely on Red Hat Enterprise Linux 10 and SSH for secure operations, are particularly at risk. The network-exploitable nature without authentication means attackers can attempt exploitation remotely, increasing exposure. Given the high CVSS score and the strategic importance of secure communications in Europe, the impact could be severe if exploited.
Mitigation Recommendations
Organizations should immediately inventory their systems to identify deployments of Red Hat Enterprise Linux 10 running libssh 0.10.0 with ChaCha20 cipher enabled. Although no patches are currently listed, monitoring Red Hat security advisories for updates or patches addressing CVE-2025-5987 is critical. In the interim, administrators should consider disabling the ChaCha20 cipher in SSH configurations to prevent triggering the vulnerable code path. Employ network-level controls such as firewall rules to restrict SSH access to trusted IPs and implement intrusion detection systems to monitor for anomalous SSH traffic patterns. Regularly audit SSH logs for unusual connection attempts or errors indicative of exploitation attempts. Additionally, ensure that system memory resources are adequately provisioned to reduce the risk of heap exhaustion conditions. Finally, prepare incident response plans to quickly address potential exploitation scenarios.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2025-06-10T21:55:45.552Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686bdc1a6f40f0eb72e9f8ac
Added to database: 7/7/2025, 2:39:22 PM
Last enriched: 2/7/2026, 8:11:24 AM
Last updated: 2/7/2026, 2:04:30 PM
Views: 100
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2086: Buffer Overflow in UTT HiPER 810G
HighCVE-2026-2085: Command Injection in D-Link DWR-M921
HighCVE-2026-2084: OS Command Injection in D-Link DIR-823X
HighCVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.