Two flaws in Tera Term (CVE-2026-58317 and CVE-2026-60060): a malicious SSH server could leak your PC's memory β update to 5.6.2
Two flaws (CVE-2026-58317, CVE-2026-60060) were found in Tera Term, a popular Japanese tool for connecting to servers. Connecting to a malicious server could leak your PC's memory or crash the app. Severity is medium with no observed abuse; we explain who is affected and how to update to 5.6.2.
Table of contents
Two flaws (CVE-2026-58317, CVE-2026-60060) were found in Tera Term, a popular Japanese tool for connecting to servers. Connecting to a malicious server could leak your PC's memory or crash the app. Severity is medium with no observed abuse; we explain who is affected and how to update to 5.6.2.
Two vulnerabilities have been found in "Tera Term," a Japanese-made program widely used to connect to servers. Disclosed on July 16, 2026 by JVN (JVN65294474), Japan's vulnerability information portal, the flaws mean that if you connect to a malicious server, the contents of your computer's memory could leak or the program could crash.
The problem lies in "TTSSH2," the component that handles encrypted communication in Tera Term. The developer has already released the fixed Tera Term 5.6.2 (TTSSH2 3.6.2) on July 15, 2026. The developer rates the severity as "medium," and there is no sign of the flaws being used in real attacks. There is no need to panic, but this article walks through what happens, whether you are affected, and how to update.
What is Tera Term, and why does it matter
Tera Term is a free Windows program for connecting to and operating remote servers and network devices. It has a history going back to the 1990s and is now maintained by the TeraTerm Project. Made in Japan and with a wealth of Japanese-language documentation, it has long been a go-to tool in Japanese system operations, development, network device configuration, and embedded-device testing.
The issue is in a plugin called "TTSSH2" built into Tera Term. TTSSH2 handles "SSH," a mechanism for encrypted communication. SSH is the set of rules that encrypts traffic between your computer and a server so third parties cannot eavesdrop, allowing safe remote control. This component processes the traffic behind the scenes when you log in to a server or change a device's settings.
In short, the connection component that handles talking to servers had a bug in how it handles data. Anyone who uses Tera Term to connect to a server could be affected.
What happened: the two flaws
Both disclosed issues are bugs in how TTSSH2 handles the length of the data it receives. In both cases, when a user tries to make an SSH connection to a server prepared by an attacker, the program can reach into memory it should not touch β a class of problem known as an "out-of-bounds memory access." Here is an overview.
| Item | CVE-2026-58317 | CVE-2026-60060 |
|---|---|---|
| Type of bug | Signed/unsigned conversion error | Length mismatch mishandling |
| What happens | Out-of-bounds read | Out-of-bounds write / info leak |
| Severity (developer) | Medium (CVSS 5.1 / 6.3) | Medium (CVSS 5.1 / 6.3) |
| Precondition | Connecting to a malicious server | Connecting to a malicious server |
| Real-world abuse | None observed | None observed |
CVE-2026-58317: reading past the edge of memory
The first flaw, CVE-2026-58317, stems from a mistake when converting numbers. Programs distinguish between numbers that cannot be negative (unsigned integers) and numbers that can be negative (signed integers). TTSSH2 mishandles this conversion in one place, which can cause it to read memory outside its allocated range. The developer rates it as medium severity (5.1 on the newer CVSS 4.0 scale, 6.3 on the older CVSS 3.0 scale). It was reported by Yukihiro Nakamura to IPA (Information-technology Promotion Agency) under Japan's information-security early-warning partnership.
CVE-2026-60060: writing out of bounds, leaking memory to the server
The second flaw, CVE-2026-60060, is a failure to handle the case where the "length" value of received data disagrees with the actual content. According to JVN, this can cause an out-of-bounds write, so that adjacent memory contents are sent to the server, Tera Term behaves unexpectedly, or the program crashes. In other words, other information left in your computer's memory could unintentionally flow to the server you connected to. The severity is again medium (5.1 on CVSS 4.0, 6.3 on CVSS 3.0). This one was reported by the developer to the JPCERT Coordination Center (JPCERT/CC).
Who can actually exploit this
These are not "your server gets taken over" flaws. It is the opposite: the connecting side (the person using Tera Term) is the target. Because the mechanism is a bit unusual, here is who could abuse it and how.
The people who can exploit it are attackers who can stand up a convincing fake server, or hijack traffic to redirect where you connect. If a user accidentally makes an SSH connection to that server, the attacker's crafted data reaches TTSSH2.
At that moment, the attacker aims to make the computer running Tera Term read and write memory out of bounds, send parts of that memory back to their own server, or force the program to crash. If it works, fragments of other data left in memory β such as pieces of other connection details β could leak out.
That said, the attack requires the user to connect to the attacker's server in the first place. As long as you only connect to your own trusted servers, this path is hard to trigger. Conversely, the risk rises if you connect to unknown servers without checking the address, or work over public Wi-Fi where traffic is easier to hijack. That is exactly why closing the hole with an update is the sure move.
Is your Tera Term affected?
Affected versions are those with TTSSH2 3.6.1 or earlier β effectively almost every version released before the fix. You can check your version from Tera Term's menu under "Help" β "About." Match your situation against the table below.
| Your version | Impact | What to do |
|---|---|---|
| Tera Term 5.6.2 or later (TTSSH2 3.6.2+) | Not affected (fixed) | Nothing needed |
| Tera Term 5.0β5.6.1 (TTSSH2 up to 3.6.1) | Affected | Update to 5.6.2 |
| Tera Term 4.x (legacy, end of life) | Affected + unsupported | Migrate to 5.6.2 |
| Serial only (no SSH) | Little direct impact here | Update soon anyway |
Besides SSH, Tera Term is also used for "serial" connections over a direct cable to a device. Because these flaws are in the SSH component, the direct impact is smaller if you only use serial connections. Even so, Tera Term 5.6.2 also fixes some file-transfer bugs beyond these vulnerabilities, so it is safest to bring every install up to the latest version regardless of use.
Severity is "medium," and here's why you don't need to panic
In news reports and security scanners, severity is shown as a "CVSS" score out of 10. The higher the score, the more dangerous; 9.0 and above is classed as "Critical." Both of these flaws are rated by the developer at 5.1 on the newer CVSS 4.0 and 6.3 on the older CVSS 3.0 β both "Medium." Not critical.
There are reasons beyond the score to stay calm. First, the attack requires the user to connect to the attacker's server, so not everyone is exposed unconditionally. Second, no real-world abuse has been observed and no proof-of-concept (PoC) exploit code has been published. Third, the flaws are not on the U.S. CISA list of vulnerabilities being actively exploited in the wild ("KEV"). You can read our companion piece on why a scanner's "9.1 Critical" for Apache Tomcat clashed with the developer's "Low" rating for how these mismatches happen.
Scanner scores taking on a life of their own is not unique to Tera Term. The official CISA Known Exploited Vulnerabilities catalog is a good reference for checking whether something is actually being attacked. Rather than acting on the displayed number alone, look at the assigning body's (developer's) rating and whether the flaw is really being exploited. Here, the answer is "medium, no abuse," so a planned update β not emergency response β is enough.
The fix: how to update to 5.6.2
The fix is simple: update Tera Term to the latest 5.6.2. The fixed TTSSH2 3.6.2 closes both flaws. The steps are as follows.
- Open the official GitHub releases page and choose the latest "v5.6.2"
- Download the installer matching your PC (x64 for 64-bit, x86 for 32-bit, or arm64)
- If you want a portable copy with your settings, a no-install ZIP (portable) build is also available
- Run the downloaded installer and follow the prompts; your settings are generally carried over
If you distribute Tera Term to many endpoints or manage the installer centrally, swap your deployment package to 5.6.2 before rolling it out. It also matters where you download from: always get it from the official site or the official GitHub releases, and avoid unknown mirror sites that appear in search results.
A technical look: why it happened
Both flaws trace back to how the "length" of received SSH data is handled. In SSH, data is preceded by a "this many bytes are coming" length value. The receiving side trusts that length, reserves a region of memory, and reads or writes the data. If the length is misinterpreted, the program touches memory beyond the reserved region.
CVE-2026-58317 (CWE-196, "unsigned-to-signed conversion error") is a mistake when converting the length value from unsigned to signed. When a value that should be a large positive number is interpreted as negative, range checks are bypassed and an unexpected location is read.
CVE-2026-60060 (CWE-130, "improper handling of length parameter inconsistency") is a lack of handling when the declared length and the actual data volume disagree. This causes an out-of-bounds write, so adjacent memory can be returned to the server as part of the response β the information leak. The fixed TTSSH2 3.6.2 states in its release notes that it "fixed an issue with length validation of received SSH2 packets," adding proper checks before using the received length. Even if an attacker's server sends a bogus length, the overrun no longer occurs.
Tera Term and past SSH vulnerabilities
This is not the first time an encryption flaw has touched Tera Term. In late 2023, a problem in the SSH standard itself called "Terrapin" (CVE-2023-48795) affected SSH clients worldwide, and older Tera Term versions were among them. Back then, too, the fix was to update to a patched version.
The lesson is that in components that carry the foundation of communication, such as SSH, small bugs are found and fixed regularly. That is precisely why the ordinary practice of "keep the everyday tools you rely on up to date" works best. Here as well, the developer released the fix promptly after receiving the reports β a case of Japan's reporting framework (IPA and JPCERT/CC) and the developer working together.
Frequently asked questions
Q. Is it dangerous if I don't update right away?
A. It is not an emergency. The severity is medium and no real-world abuse has been observed. Still, the fix is already out, so plan to move to 5.6.2 at your next maintenance window. If you often connect to unfamiliar servers or work over public Wi-Fi, update sooner rather than later.
Q. I only connect to my own servers. Am I still affected?
A. The attack requires connecting to a server prepared by an attacker. As long as you connect only to your own trusted servers, the exploitation path is hard to trigger. That said, traffic hijacking that redirects your connection is not impossible, so updating to close the hole is the sure move.
Q. A scanner flagged it as "dangerous." What should I do?
A. The score a scanner shows can be a worst-case automatic estimate. Here the developer's rating is "medium" and there is no real abuse. There is no need to react as if it were an emergency; updating to 5.6.2 resolves it.
Q. Is it OK to keep using Tera Term 4.x?
A. Tera Term 4.x has reached end of life and will not receive new fixes. Beyond this issue, plan to migrate to the supported 5.x line (5.6.2 or later).
Summary
Two vulnerabilities (CVE-2026-58317 and CVE-2026-60060) were found in TTSSH2, the encrypted-communication component of the popular Japanese tool Tera Term. If you connect to a malicious server, your computer's memory contents could leak or the program could crash. The severity is medium, no real-world abuse has been observed, and it is not an emergency.
There is one thing to do: update Tera Term to the latest 5.6.2. The fixed TTSSH2 3.6.2 closes both flaws. Don't get swept up by the size of the number; look at the developer's rating and actual exploitation status, then update on a planned basis. For a "medium, no abuse" flaw like this, that calm approach is itself the best answer.
Sources
- βΈ JVN#65294474 - Multiple vulnerabilities in the TTSSH2 plugin of Tera Term (July 16, 2026)
- βΈ TeraTerm Project - Out-of-bounds memory access in TTSSH2 (Security Advisory)
- βΈ TeraTerm Project - Releases (Tera Term 5.6.2) (July 15, 2026)
- βΈ Tera Term official site
- βΈ JPCERT Coordination Center
- βΈ NVD - CVE-2023-48795 (Terrapin attack)

Makoto Horikawa
Backend Engineer / AWS / Django