Name CVE-2026-0964 Description A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111. Source CVE (at NVD ; CERT , ENISA , LWN , oss-sec , fulldisc , Debian ELTS , Red Hat , Ubuntu , Gentoo , SUSE bugzilla /CVE , GitHub advisories /code /issues , web search , more )Debian Bugs 1127693
Vulnerable and fixed packages The table below lists information on source packages.
Source Package Release Version Status libssh (PTS )bullseye 0.9.8-0+deb11u1 vulnerable bullseye (security) 0.9.8-0+deb11u2 vulnerable bookworm 0.10.6-0+deb12u2 vulnerable bookworm (security) 0.10.6-0+deb12u1 vulnerable trixie 0.11.2-1+deb13u1 vulnerable forky, sid 0.12.0-3 fixed
The information below is based on the following data on fixed versions.
Package Type Release Fixed Version Urgency Origin Debian Bugs libssh source (unstable) 0.12.0-1 1127693
Notes [trixie] - libssh <no-dsa> (Minor issue) [bookworm] - libssh <no-dsa> (Minor issue) [bullseye] - libssh <postponed> (Minor issue) https://www.libssh.org/security/advisories/CVE-2026-0964.txt https://git.libssh.org/projects/libssh.git/commit/?id=a5e4b12090b0c939d85af4f29280e40c5b6600aa (libssh-0.11.4)