diff --git a/security/libssh/Makefile b/security/libssh/Makefile
index ad5bdda9c23..6806ec40395 100644
--- a/security/libssh/Makefile
+++ b/security/libssh/Makefile
@@ -1,8 +1,8 @@
 COMMENT =		C library implementing server and client side SSH
-V =			0.11.3
+V =			0.12.0
 DISTNAME =		libssh-${V}
 
-SHARED_LIBS +=		ssh		4.3 # 4.8
+SHARED_LIBS +=		ssh		4.4 # 4.11
 
 CATEGORIES =		security devel
 
diff --git a/security/libssh/distinfo b/security/libssh/distinfo
index 92a6bd42800..dd8a108ebb5 100644
--- a/security/libssh/distinfo
+++ b/security/libssh/distinfo
@@ -1,2 +1,2 @@
-SHA256 (libssh-0.11.3.tar.xz) = fYoTYbsJTsP1EZZOeKWk26aJtZhuESr6vk9NDWxhJcM=
-SIZE (libssh-0.11.3.tar.xz) = 622776
+SHA256 (libssh-0.12.0.tar.xz) = Gmr0JNgyfl7t705f5/W5JCJt1hesnz3oDyF9gqNqcSE=
+SIZE (libssh-0.12.0.tar.xz) = 751928
diff --git a/security/libssh/patches/patch-ConfigureChecks_cmake b/security/libssh/patches/patch-ConfigureChecks_cmake
index 52541523d69..6ce4f4e85fd 100644
--- a/security/libssh/patches/patch-ConfigureChecks_cmake
+++ b/security/libssh/patches/patch-ConfigureChecks_cmake
@@ -13,9 +13,9 @@ Index: ConfigureChecks.cmake
 -    check_function_exists(EVP_chacha20 HAVE_OPENSSL_EVP_CHACHA20)
 +    #check_function_exists(EVP_chacha20 HAVE_OPENSSL_EVP_CHACHA20)
  
-     unset(CMAKE_REQUIRED_INCLUDES)
-     unset(CMAKE_REQUIRED_LIBRARIES)
-@@ -261,7 +261,7 @@ check_c_source_compiles("
+     # Check for ML-KEM availability (OpenSSL 3.5+)
+     if (OPENSSL_VERSION VERSION_GREATER_EQUAL "3.5.0")
+@@ -280,7 +280,7 @@ check_c_source_compiles("
  __thread int tls;
  
  int main(void) {
diff --git a/security/libssh/patches/patch-src_CMakeLists_txt b/security/libssh/patches/patch-src_CMakeLists_txt
index 06f675fc2f1..a9f035a6e59 100644
--- a/security/libssh/patches/patch-src_CMakeLists_txt
+++ b/security/libssh/patches/patch-src_CMakeLists_txt
@@ -5,9 +5,9 @@ uses pthread functions whether or not pthread was linked.
 Index: src/CMakeLists.txt
 --- src/CMakeLists.txt.orig
 +++ src/CMakeLists.txt
-@@ -56,6 +56,13 @@ if (MINGW AND Threads_FOUND)
-   )
- endif()
+@@ -68,6 +68,13 @@ if (HAVE_LIBFIDO2)
+     )
+ endif (HAVE_LIBFIDO2)
  
 +if (Threads_FOUND)
 +  set(LIBSSH_LINK_LIBRARIES
diff --git a/security/libssh/patches/patch-tests_unittests_torture_misc_c b/security/libssh/patches/patch-tests_unittests_torture_misc_c
new file mode 100644
index 00000000000..68fd3c49af7
--- /dev/null
+++ b/security/libssh/patches/patch-tests_unittests_torture_misc_c
@@ -0,0 +1,27 @@
+ssh_path_expand_tilde() calls getpwnam, invalidating pw returned
+by getpwuid
+
+Index: tests/unittests/torture_misc.c
+--- tests/unittests/torture_misc.c.orig
++++ tests/unittests/torture_misc.c
+@@ -255,9 +255,9 @@ static void torture_path_expand_tilde_unix(void **stat
+     pw = getpwuid(getuid());
+     assert_non_null(pw);
+ 
+-    user = pw->pw_name;
++    user = strdup(pw->pw_name);
+     assert_non_null(user);
+-    home = pw->pw_dir;
++    home = strdup(pw->pw_dir);
+     assert_non_null(home);
+ 
+     snprintf(h, 256 - 1, "%s/.ssh", home);
+@@ -279,6 +279,8 @@ static void torture_path_expand_tilde_unix(void **stat
+     snprintf(h, 256 - 1, "%s/.ssh", home);
+     assert_string_equal(d, h);
+     free(d);
++    free(user);
++    free(home);
+ }
+ 
+ #endif /* _WIN32 */