CVE-2025-5351: 
NixOS vulnerability analysis and mitigation

A flaw was found in the key export functionality of libssh (CVE-2025-5351). The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. The vulnerability affects libssh versions 0.10.0 and later when built with OpenSSL 3.0 or later (Debian Tracker, Ubuntu Security).

The vulnerability exists in the pki_key_to_blob() function where a memory structure (params) is deallocated during error handling but not properly nullified. The issue has received a CVSS 3.1 base score of 4.2 (Medium), with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability requires network access and has high attack complexity, with low privileges required and no user interaction needed (Ubuntu Security).

This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed. The vulnerability primarily affects system stability and could potentially lead to application crashes when key export operations are executed (Ubuntu Security, Debian Tracker).

Fixed versions have been released for various distributions: Ubuntu 25.04 (0.11.1-1ubuntu0.1), 24.10 (0.10.6-3ubuntu1.1), and 24.04 LTS (0.10.6-2ubuntu0.1). Debian has also released fixes with version 0.11.2-1 for sid and trixie distributions (Ubuntu Security, Debian Tracker).