From 6bf715d85b33e4a8a824f2e9ab71971d46153d58 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Wed, 11 Mar 2026 05:59:34 +0000
Subject: [PATCH] Patch libssh for CVE-2026-3731

---
 SPECS/libssh/CVE-2026-3731.patch | 42 ++++++++++++++++++++++++++++++++
 SPECS/libssh/libssh.spec         |  6 ++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/libssh/CVE-2026-3731.patch

diff --git a/SPECS/libssh/CVE-2026-3731.patch b/SPECS/libssh/CVE-2026-3731.patch
new file mode 100644
index 00000000000..cab6f3cb20c
--- /dev/null
+++ b/SPECS/libssh/CVE-2026-3731.patch
@@ -0,0 +1,42 @@
+From 7e85a3106d43699b1662d46480b377bfc55fcbbf Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Dec 2025 13:22:44 +0100
+Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
+(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://git.libssh.org/projects/libssh.git/patch/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8
+---
+ src/sftp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sftp.c b/src/sftp.c
+index e01012a..e55f5e1 100644
+--- a/src/sftp.c
++++ b/src/sftp.c
+@@ -768,7 +768,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
+     return NULL;
+   }
+ 
+-  if (idx > sftp->ext->count) {
++    if (idx >= sftp->ext->count) {
+     ssh_set_error_invalid(sftp->session);
+     return NULL;
+   }
+@@ -784,7 +784,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) {
+     return NULL;
+   }
+ 
+-  if (idx > sftp->ext->count) {
++    if (idx >= sftp->ext->count) {
+     ssh_set_error_invalid(sftp->session);
+     return NULL;
+   }
+-- 
+2.45.4
+
diff --git a/SPECS/libssh/libssh.spec b/SPECS/libssh/libssh.spec
index 292bdd453f4..c47c25f563f 100644
--- a/SPECS/libssh/libssh.spec
+++ b/SPECS/libssh/libssh.spec
@@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Name:           libssh
 Version:        0.10.6
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -19,6 +19,7 @@ Patch3:         CVE-2025-5318.patch
 Patch4:         CVE-2025-4878.patch
 Patch5:         CVE-2025-8277.patch
 Patch6:         CVE-2025-8114.patch
+Patch7:         CVE-2026-3731.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -152,6 +153,9 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Wed Mar 11 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.10.6-6
+- Patch for CVE-2026-3731
+
 * Wed Nov 12 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.10.6-5
 - Patch for CVE-2025-8114