CVE-2025-5372: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-5372 is a security vulnerability affecting all versions of libssh built with OpenSSL versions lower than 3.0. The vulnerability was discovered by Ronald Crane and disclosed on June 25, 2025. The issue involves the ssh_kdf() function returning a success code on certain failures, which affects the SSH key derivation functionality (LibSSH Advisory).

The vulnerability stems from a mismatch between OpenSSL and libssh return value conventions, where OpenSSL's return value 0 (indicating failure) aliases with libssh's SSHOK (0). This causes sshkdf() to return a success code without properly initializing output buffers. The vulnerability has been assigned a CVSS v3.1 score of 4.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C) (LibSSH Advisory).

When exploited, this vulnerability can lead to the use of uninitialized cryptographic keys and subsequent failures in encrypting or decrypting communication. This poses a significant security risk as it could potentially compromise the confidentiality and integrity of SSH sessions (LibSSH Advisory).

A fix has been released in libssh version 0.11.2. As a workaround, administrators can build libssh with OpenSSL 3.0 or later versions. The libssh team strongly recommends upgrading to the latest version or applying the available security patches as soon as possible (LibSSH Advisory).