TTSSH2 has out-of-bounds access vulnerability

Release date: July 15, 2026

Overview

Tera Term bundles the TTSSH2 plugin, which enables SSH connections.
TTSSH2 3.6.1 or earlier has a vulnerability that can cause out-of-bounds access due to packets from a malicious server or a man-in-the-middle attacker.

Affected version

From TTSSH2 1.00 alpha1 through 3.6.1.
Tera Term versions bundling TTSSH2: From UTF-8 TeraTerm Pro 2.05 (bundling TTSSH2 1.00 alpha2) through Tera Term 5.6.1 (bundling TTSSH2 3.6.1).

Impact

An out-of-bounds read may cause adjacent memory to be interpreted as part of the received packet.
An out-of-bounds write may cause adjacent memory to be overwritten. The written values are not attacker-controlled; they are limited to a temporary '\0' and restoration of the original value.
As a result, adjacent memory contents may be sent to the server, and Tera Term may behave unexpectedly or terminate abnormally.

Solution

Please use the latest release of the software 5.x series.
There are no plans to provide a fix for the software 4.x series.

Acknowledgment

Thank you for Yukihiro Nakamura, IPA and JPCERT/CC relationship.

History

Contact

Email: TeraTerm-nospam-contactgroups.io