Description
libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
Published: 2026-06-28
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libssh2 through 1.11.1 contains a flaw in the publickey list cleanup path where newly reallocated entries are not zero‑initialized before parsing. When a remote SSH server responds with malformed publickey subsystem data that triggers a parse failure, the cleanup routine attempts to free an uninitialized and attacker‑influenced pointer. This can lead to memory corruption or client process crash. The weakness is classified as CWE‑908 (Uninitialized Pointer) and CWE‑824 (Uninitialized Pointer).

Affected Systems

The vulnerability affects the libssh2 library distributed by the libssh2 project. Any software that embeds libssh2 1.11.1 or earlier is potentially impacted until updated to a patched release.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity. The EPSS score is less than 1%, and the issue is not listed in CISA's KEV catalog, indicating a low probability of exploitation. Based on the description, the likely attack vector is that the victim must initiate a connection to a malicious SSH server that sends a crafted publickey subsystem response, making the threat most relevant to client software exposed to untrusted SSH servers.

Generated by OpenCVE AI on June 30, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh2 to a version newer than 1.11.1 that contains the flaw fix.
  • If an upgrade is not immediately possible, disable the publickey subsystem or disable the SSH publickey subsystem feature in the client configuration to avoid processing attacker‑crafted data.
  • Restrict connections to known, trusted SSH servers and monitor network traffic for unexpected malformed responses or client crashes.

Generated by OpenCVE AI on June 30, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8532-1 libssh2 vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
Title libssh2 - Free of Uninitialized Pointer in publickey List Cleanup
First Time appeared Libssh2
Libssh2 libssh2
Weaknesses CWE-908
CPEs cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*
Vendors & Products Libssh2
Libssh2 libssh2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T12:50:00.766Z

Reserved: 2026-06-28T00:55:25.426Z

Link: CVE-2026-58051

cve-icon Vulnrichment

Updated: 2026-06-29T12:49:52.395Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-28T01:32:54Z

Links: CVE-2026-58051 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:45:05Z

Weaknesses
  • CWE-824

    Access of Uninitialized Pointer

  • CWE-908

    Use of Uninitialized Resource