CVE-2025-4878
Public on 2025-06-27
Modified on 2025-06-27
Description
The privatekey_from_file() uses an uninitialized variable under certain
conditions, such as if the file specified by the filename argument doesn't
exist. This causes the code to return an invalid private key.
This defect, in turn, might cause signing failure. The bug might also cause a
Use-After-Free or corrupt the heap.
Note that privatekey_from_file() is a deprecated function and shouldn't be used
anymore!
conditions, such as if the file specified by the filename argument doesn't
exist. This causes the code to return an invalid private key.
This defect, in turn, might cause signing failure. The bug might also cause a
Use-After-Free or corrupt the heap.
Note that privatekey_from_file() is a deprecated function and shouldn't be used
anymore!
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | libssh | 2025-09-08 | ALAS2023-2025-1155 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv3 | 3.6 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |