{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/oraclelinux7els/vex/2025/cve-2025-15661-els_os-oraclelinux7els.json" } ], "tracking": { "current_release_date": "2026-06-26T12:31:49Z", "generator": { "date": "2026-06-26T12:31:49Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-15661-ELS_OS-ORACLELINUX7ELS", "initial_release_date": "2025-01-01T00:00:00Z", "revision_history": [ { "date": "2025-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-24T16:28:51Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-06-25T20:26:41Z", "number": "3", "summary": "Update document" }, { "date": "2026-06-26T12:31:49Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" }, "title": "Security update on CVE-2025-15661" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libssh2-0:1.8.0-4.el7_9.1.i686", "product": { "name": "libssh2-0:1.8.0-4.el7_9.1.i686", "product_id": "libssh2-0:1.8.0-4.el7_9.1.i686", "product_identification_helper": { "purl": "pkg:rpm/oracle/libssh2@1.8.0-4.el7_9.1?arch=i686" } } }, { "category": "product_version", "name": "libssh2-devel-0:1.8.0-4.el7_9.1.i686", "product": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.i686", "product_id": "libssh2-devel-0:1.8.0-4.el7_9.1.i686", "product_identification_helper": { "purl": "pkg:rpm/oracle/libssh2-devel@1.8.0-4.el7_9.1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "libssh2-0:1.8.0-4.el7_9.1.x86_64", "product": { "name": "libssh2-0:1.8.0-4.el7_9.1.x86_64", "product_id": "libssh2-0:1.8.0-4.el7_9.1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/oracle/libssh2@1.8.0-4.el7_9.1?arch=x86_64" } } }, { "category": "product_version", "name": "libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "product": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "product_id": "libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/oracle/libssh2-devel@1.8.0-4.el7_9.1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "product": { "name": "libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "product_id": "libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/oracle/libssh2-docs@1.8.0-4.el7_9.1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux 7", "product": { "name": "Oracle Linux 7", "product_id": "Oracle-Linux-7", "product_identification_helper": { "cpe": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Oracle Linux" } ], "category": "vendor", "name": "Oracle Corporation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "product": { "name": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "product_id": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh2@1.8.0-4.el7_9.1.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "product": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "product_id": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh2-devel@1.8.0-4.el7_9.1.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "product": { "name": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "product_id": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh2@1.8.0-4.el7_9.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "product": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "product_id": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh2-devel@1.8.0-4.el7_9.1.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch", "product": { "name": "libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch", "product_id": "libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libssh2-docs@1.8.0-4.el7_9.1.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686" }, "product_reference": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64" }, "product_reference": "libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686" }, "product_reference": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64" }, "product_reference": "libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch" }, "product_reference": "libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-0:1.8.0-4.el7_9.1.i686 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.i686" }, "product_reference": "libssh2-0:1.8.0-4.el7_9.1.i686", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-0:1.8.0-4.el7_9.1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.x86_64" }, "product_reference": "libssh2-0:1.8.0-4.el7_9.1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.i686 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.i686" }, "product_reference": "libssh2-devel-0:1.8.0-4.el7_9.1.i686", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-devel-0:1.8.0-4.el7_9.1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.x86_64" }, "product_reference": "libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libssh2-docs-0:1.8.0-4.el7_9.1.noarch as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.noarch" }, "product_reference": "libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "relates_to_product_reference": "Oracle-Linux-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-15661", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.i686", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.x86_64", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.i686", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-15661" }, { "category": "external", "summary": "https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d", "url": "https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d" }, { "category": "external", "summary": "https://github.com/libssh2/libssh2/pull/1705", "url": "https://github.com/libssh2/libssh2/pull/1705" }, { "category": "external", "summary": "https://github.com/libssh2/libssh2/pull/1717", "url": "https://github.com/libssh2/libssh2/pull/1717" }, { "category": "external", "summary": "https://www.vulncheck.com/advisories/libssh2-heap-buffer-over-read-via-sftp-symlink-in-sftp-c", "url": "https://www.vulncheck.com/advisories/libssh2-heap-buffer-over-read-via-sftp-symlink-in-sftp-c" } ], "release_date": "2026-06-18T21:16:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-25T18:44:47.974359Z", "details": "This is a client‑side SFTP parsing bug in libssh2 (through 1.11.1) that only triggers when a libssh2‑based client performs READLINK/REALPATH and the remote SSH server is malicious or a man‑in‑the‑middle tampers with SSH_FXP_NAME; systems acting solely as SSH servers are not impacted. The flaw is an out‑of‑bounds heap read (no write), which at worst leaks a small amount of client‑process memory or causes a client crash, without code execution or privilege escalation. Given the high attack complexity (attacker must control the server or successfully bypass SSH host‑key verification) and the narrow preconditions, this is low operational risk for centrally managed enterprise VMs and can be safely deprioritized.", "product_ids": [ "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.i686", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.x86_64", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.i686", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.i686", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "Oracle-Linux-7:libssh2-0:1.8.0-4.el7_9.1.x86_64", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.i686", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.i686", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.tuxcare.els1.x86_64", "Oracle-Linux-7:libssh2-devel-0:1.8.0-4.el7_9.1.x86_64", "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.noarch", "Oracle-Linux-7:libssh2-docs-0:1.8.0-4.el7_9.1.tuxcare.els1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }