Impact
libssh2 through 1.11.1 contains a flaw in the publickey list cleanup path where newly reallocated entries are not zero‑initialized before parsing. When a remote SSH server responds with malformed publickey subsystem data that triggers a parse failure, the cleanup routine attempts to free an uninitialized and attacker‑influenced pointer. This can lead to memory corruption or client process crash. The weakness is classified as CWE‑908 (Uninitialized Pointer) and CWE‑824 (Uninitialized Pointer).
Affected Systems
The vulnerability affects the libssh2 library distributed by the libssh2 project. Any software that embeds libssh2 1.11.1 or earlier is potentially impacted until updated to a patched release.
Risk and Exploitability
The CVSS score of 8.3 indicates a high severity. The EPSS score is less than 1%, and the issue is not listed in CISA's KEV catalog, indicating a low probability of exploitation. Based on the description, the likely attack vector is that the victim must initiate a connection to a malicious SSH server that sends a crafted publickey subsystem response, making the threat most relevant to client software exposed to untrusted SSH servers.
OpenCVE Enrichment
Ubuntu USN