libssh2 versions up to 1.11.1 contain a signed integer overflow that occurs when an attacker‑controlled 32‑bit attribute count from a publickey‑subsystem response is multiplied by the size of a public key attribute structure without bounds checking. The overflow produces an undersized buffer on 32‑bit platforms, and the subsequent attribute‑parsing loop can write past the end of this buffer. The result is a heap buffer overflow in a connecting libssh2 client, which can be escalated to arbitrary code execution. This weakness is identified as CWE‑190. The vulnerability is therefore a high‑risk condition that permits an attacker to compromise a client’s confidentiality, integrity, and availability.

The flaw affects the libssh2 library, specifically releases up to and including version 1.11.1. Systems that embed this library in 32‑bit environments are susceptible, regardless of operating system, as the integer overflow calculation is performed purely in the library code.

The CVSS score of 8.3 indicates a high severity. EPSS data is not available, but the vulnerability exists in widely used versions of libssh2, and the exploit path requires only a malicious SSH server that returns an inflated attribute count in a publickey subsystem response. Because the client performs no bounds checking, the overflow can be triggered with crafted traffic that a remote attacker can generate. The exploit does not appear to require privileged access on the client side, and the lack of KEV listing suggests that exploitation is possible but not yet widespread. Consequently, the risk is substantial, especially for deployments that rely on older libssh2 releases and communicate with untrusted SSH servers.