CVE-2025-5987 is a vulnerability discovered in libssh version 0.10.0, specifically when using the ChaCha20 cipher in conjunction with the OpenSSL cryptographic library. The root cause is a flaw in error handling: when the heap space is exhausted, OpenSSL returns an error code that aliases with SSH_OK, the success code in libssh. As a result, libssh fails to detect the error and proceeds with a partially initialized cipher context. This improper initialization can lead to undefined behavior, including potential compromise of data confidentiality and integrity or application crashes. The vulnerability is network exploitable without requiring authentication or user interaction, increasing its risk profile. It affects Red Hat Enterprise Linux 10, which bundles libssh 0.10.0. The CVSS v3.1 score is 8.1 (high), reflecting the critical impact on confidentiality, integrity, and availability, combined with network attack vector and no privileges required. Although no known exploits have been reported in the wild, the flaw could be leveraged by attackers to cause denial of service or potentially decrypt or manipulate SSH traffic, undermining secure communications. The issue stems from a subtle error code aliasing problem between OpenSSL and libssh, highlighting the importance of rigorous error handling in cryptographic libraries.

The vulnerability poses a significant risk to organizations worldwide that use libssh with the ChaCha20 cipher, particularly those running Red Hat Enterprise Linux 10. Exploitation could allow remote attackers to cause application crashes (denial of service) or compromise the confidentiality and integrity of SSH sessions by using a partially initialized cipher context. This undermines the security guarantees of SSH, potentially exposing sensitive data or enabling unauthorized access. Critical infrastructure, cloud service providers, and enterprises relying on secure remote management via SSH are especially vulnerable. The flaw could disrupt operations, lead to data breaches, and erode trust in secure communications. Given the network-exploitable nature and no requirement for authentication, the attack surface is broad. The absence of known exploits currently provides a window for mitigation, but the high CVSS score indicates urgent attention is needed to prevent future exploitation.

Organizations should immediately audit their use of libssh, particularly versions 0.10.0 on Red Hat Enterprise Linux 10 systems, and avoid using the ChaCha20 cipher with OpenSSL until patches are available. Applying vendor-supplied patches or updates as soon as they are released is critical. In the interim, consider disabling the ChaCha20 cipher in SSH configurations to prevent triggering the vulnerable code path. Implement monitoring for unusual SSH connection failures or crashes that could indicate exploitation attempts. Network-level protections such as firewall rules limiting SSH access to trusted hosts can reduce exposure. Additionally, conduct thorough testing of SSH implementations after patching to ensure error handling is correctly enforced. Security teams should stay informed via Red Hat advisories and CVE databases for updates. Finally, consider deploying intrusion detection systems with signatures for anomalous SSH behavior related to this vulnerability.