CVE-2025-5372 in libssh
Summary
by MITRE • 07/04/2025
A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability identified as CVE-2025-5372 represents a critical cryptographic flaw within libssh library implementations that utilize OpenSSL versions prior to 3.0. This issue specifically targets the ssh_kdf() function responsible for key derivation operations during SSH protocol negotiations. The flaw arises from a fundamental incompatibility in how return values are interpreted between the OpenSSL library and the libssh implementation, creating a dangerous scenario where cryptographic failures are silently masked. The vulnerability demonstrates a classic case of library interface mismatch that can have severe consequences for secure communications.
The technical root cause of this vulnerability stems from the divergent return value conventions between OpenSSL and libssh implementations. In OpenSSL versions prior to 3.0, a return value of zero indicates a failure condition within cryptographic operations, whereas libssh interprets zero as a successful completion status. This discrepancy occurs during key derivation function execution where the ssh_kdf() routine processes cryptographic parameters through OpenSSL's underlying functions. When OpenSSL reports failure through its zero return code, the libssh wrapper incorrectly treats this as a successful operation, leading to the erroneous assumption that key derivation completed properly. This misinterpretation results in the function returning success status even when critical cryptographic operations fail, allowing the system to proceed with incomplete or invalid key material.
The operational impact of CVE-2025-5372 extends beyond simple functionality degradation to encompass serious security implications for SSH-based communications. When uninitialized cryptographic buffers are used in subsequent communication phases, attackers can potentially exploit this vulnerability to compromise session confidentiality by intercepting or manipulating encrypted data streams. The integrity of SSH sessions becomes compromised as the system may continue operating with weakened cryptographic protections, while availability can be affected through potential session termination or forced reconnection scenarios. This vulnerability directly impacts the core security assurances that SSH protocols are designed to provide, making it particularly dangerous for environments where secure remote access is critical. The flaw can be exploited by adversaries who have network access to the affected systems, potentially enabling man-in-the-middle attacks or credential theft operations.
This vulnerability aligns with CWE-254 and CWE-310 categories, specifically addressing weaknesses in cryptographic implementations and improper handling of return values in cryptographic functions. From an ATT&CK framework perspective, this vulnerability maps to techniques involving credential access and privilege escalation through cryptographic weakness exploitation. The flaw demonstrates characteristics of T1552 (Credentials in Files) and T1566 (Phishing) as attackers may leverage compromised SSH sessions to gain unauthorized access to systems. Organizations should prioritize immediate mitigation through library updates to versions that properly handle OpenSSL return value conventions, implement monitoring for unusual SSH connection patterns, and conduct security assessments of systems utilizing affected libssh implementations. Additionally, network segmentation and intrusion detection systems should be enhanced to detect potential exploitation attempts targeting this specific vulnerability.