CVE-2019-3859 – This vulnerability in libssh2 allows a compromi... (How to Fix)

Q: What is the severity of CVE-2019-3859?

CVE-2019-3859 has a CVSS score of 9.1 (CRITICAL). This vulnerability in libssh2 allows a compromised SSH server to trigger an out-of-bounds read in client software, potentially causing denial of service or memory disclosure. It affects SSH clients using libssh2 versions before 1.8.1. Both server administrators and client users are impacted since exploitation requires a malicious server.

📋 TL;DR

This vulnerability in libssh2 allows a compromised SSH server to trigger an out-of-bounds read in client software, potentially causing denial of service or memory disclosure. It affects SSH clients using libssh2 versions before 1.8.1. Both server administrators and client users are impacted since exploitation requires a malicious server.

💻 Affected Systems

Products:

libssh2
applications using libssh2 library

Versions: All versions before 1.8.1

Operating Systems: Linux, Unix-like systems, Windows (if using libssh2)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application linking against vulnerable libssh2 versions is affected, including SSH clients, Git, and other tools using SSH protocol.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete client compromise and data exfiltration.

🟠

Likely Case

Denial of service (client crash) or limited memory disclosure.

🟢

If Mitigated

No impact if patched or using unaffected versions.

🌐 Internet-Facing: MEDIUM - Requires client to connect to malicious server, which is less common than server-side attacks.

🏢 Internal Only: LOW - Internal SSH servers are typically trusted, reducing attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires client to connect to malicious server; no authentication needed on client side.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.1 and later

Vendor Advisory: https://www.libssh2.org/

Restart Required: Yes

Instructions:

1. Update libssh2 package to version 1.8.1 or later using system package manager. 2. Rebuild any statically linked applications. 3. Restart affected services or applications.

🔧 Temporary Workarounds

Disable SSH client connections

all

Temporarily disable SSH client functionality in affected applications

Use alternative SSH library

all

Switch to OpenSSH or other SSH implementations temporarily

🧯 If You Can't Patch

Restrict SSH client connections to trusted servers only
Implement network segmentation to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check libssh2 version: `libssh2-config --version` or `ldconfig -p | grep libssh2`

Check Version:

libssh2-config --version || pkg-config --modversion libssh2

Verify Fix Applied:

Verify version is 1.8.1 or higher using same commands

📡 Detection & Monitoring

Log Indicators:

Unexpected client crashes
Memory access violation errors

Network Indicators:

SSH connections to unknown/untrusted servers

SIEM Query:

source="ssh" AND (event_type="crash" OR error="segmentation fault")

📊 Metadata

CVE ID: CVE-2019-3859

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: March 21, 2019

Last Updated: December 18, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00102.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00103.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html Patch,Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2019/03/18/3 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/107485 Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3859 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00006.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
https://seclists.org/bugtraq/2019/Apr/25 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/25 Mailing List,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20190327-0005/ Third Party Advisory
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767 Third Party Advisory
https://www.debian.org/security/2019/dsa-4431 Third Party Advisory
https://www.libssh2.org/CVE-2019-3859.html Vendor Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00102.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00103.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html Patch,Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2019/03/18/3 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/107485 Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3859 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00006.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
https://seclists.org/bugtraq/2019/Apr/25 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/25 Mailing List,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20190327-0005/ Third Party Advisory
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767 Third Party Advisory
https://www.debian.org/security/2019/dsa-4431 Third Party Advisory
https://www.libssh2.org/CVE-2019-3859.html Vendor Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-3859, you might also want to check these: