CVE & CISA-KEV Catalog

CVE-2021-3634

MEDIUMEPSS 91th pctl
6.5
CVSS v3
NVD

Description

A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.

How to fix

Remediation Available
libsshDebian
Fixed in:0.9.5-1+deb11u1CVE-2021-3634
Fixed in:0.9.6-1CVE-2021-3634
Fixed in:0.9.6-1CVE-2021-3634
Fixed in:0.9.6-1CVE-2021-3634
libsshUbuntu
Fixed in:0.9.3-2ubuntu2.2USN-5053-1
libssh-4Ubuntu
Fixed in:0.9.3-2ubuntu2.2USN-5053-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityNone
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploit Intelligence

4.68%probability of exploitation in 30 days
91stpercentile

High risk: more likely to be exploited than 91% of all known CVEs.

References

Related Vulnerabilities

Other CWE-787 (Out-of-bounds Write) vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2025-22457Critical9.0100%KEV + RansomFix
CVE-2025-0282Critical9.0100%KEV + Ransom-
CVE-2015-3113Critical9.8100%KEVFix
CVE-2021-20038Critical9.8100%KEV + Ransom-
CVE-2023-4863High8.8100%KEVFix
CVE-2020-16040Medium6.5100%-Fix
Embed a live status badge for CVE-2021-3634
CVE-2021-3634 severity badge

Markdown

[![CVE-2021-3634](https://tridentstack.com/cve/badge/CVE-2021-3634.svg)](https://tridentstack.com/cve/CVE-2021-3634)

HTML

<a href="https://tridentstack.com/cve/CVE-2021-3634"><img src="https://tridentstack.com/cve/badge/CVE-2021-3634.svg" alt="CVE-2021-3634"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.