Description
libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.
Published: 2026-06-28
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libssh2 versions up to and including 1.11.1 contain a signed integer overflow that occurs when an attacker‑controlled 32‑bit attribute count from a publickey‑subsystem response is multiplied by the size of a public key attribute structure without bounds checking. The overflow produces an undersized buffer on 32‑bit platforms, and the subsequent attribute‑parsing loop can write past the end of this buffer. The result is a heap buffer overflow in a connecting libssh2 client, which can be escalated to arbitrary code execution. This weakness is identified as CWE‑190 and CWE‑787. The vulnerability is therefore a high‑risk condition that permits an attacker to compromise a client’s confidentiality, integrity, and availability.

Affected Systems

The flaw affects the libssh2 library, specifically releases up to and including version 1.11.1. Systems that embed this library in 32‑bit environments are susceptible, regardless of operating system, as the integer overflow calculation is performed purely in the library code.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity. The EPSS score is < 1%, indicating a low but nonzero probability of exploitation, but the vulnerability exists in widely used versions of libssh2, and the exploit path requires only a malicious SSH server that returns an inflated attribute count in a publickey subsystem response. Because the client performs no bounds checking, the overflow can be triggered with crafted traffic that a remote attacker can generate. The exploit does not appear to require privileged access on the client side, and the lack of KEV listing suggests that exploitation is possible but not yet widespread. Consequently, the risk is substantial, especially for deployments that rely on older libssh2 releases and communicate with untrusted SSH servers.

Generated by OpenCVE AI on June 30, 2026 at 02:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh2 to a version that addresses the integer overflow, such as 1.11.2 or later.
  • If upgrading immediately is not feasible, limit libssh2 connections to trusted SSH servers only.
  • If you cannot upgrade or restrict connections, modify your application to validate the publickey‑subsystem response attribute count and reject responses with unusually large counts before passing to libssh2.

Generated by OpenCVE AI on June 30, 2026 at 02:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8532-1 libssh2 vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.
Title libssh2 - Integer Overflow in publickey Subsystem Attribute Allocation
First Time appeared Libssh2
Libssh2 libssh2
Weaknesses CWE-190
CPEs cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*
Vendors & Products Libssh2
Libssh2 libssh2
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T12:27:17.078Z

Reserved: 2026-06-28T00:55:25.426Z

Link: CVE-2026-58050

cve-icon Vulnrichment

Updated: 2026-06-29T12:27:05.430Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-28T01:32:53Z

Links: CVE-2026-58050 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:45:05Z

Weaknesses