CVE-2025-4878
LowCVSS 3.6Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A vulnerability was found in libssh involving an uninitialized variable in the privatekey_from_file() function. It is triggered when the specified file does not exist, potentially leading to signing failures or heap corruption.
Risk Assessment
The risk includes potential heap corruption and unpredictable signing behavior, which could cause service crashes or compromise data integrity.
Recommendation
It is recommended to update libssh to the latest patched version and ensure that applications using libssh are properly protected against this vulnerability.
Original NVD description (English source)
A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

