Description
libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
Published: 2026-06-28
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libssh2 through 1.11.1 contains a flaw in the publickey list cleanup path where newly reallocated entries are not zero‑initialized before parsing. When a remote SSH server responds with malformed publickey subsystem data that triggers a parse failure, the cleanup routine attempts to free an uninitialized and attacker‑influenced pointer. This can lead to memory corruption or client process crash. The weakness is classified as CWE‑908 (Uninitialized Pointer).

Affected Systems

The vulnerability affects the libssh2 library distributed by the libssh2 project. Any software that embeds libssh2 1.11.1 or earlier is potentially impacted until updated to a patched release.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity. EPSS data is not available, and the issue is not listed in CISA's KEV catalog, suggesting limited exploitation activity. The attack vector requires the victim to initiate a connection to a malicious SSH server capable of sending the crafted publickey subsystem response, making the threat most relevant to client software exposed to untrusted SSH servers.

Generated by OpenCVE AI on June 28, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh2 to a version newer than 1.11.1 that contains the flaw fix.
  • If an upgrade is not immediately possible, disable the publickey subsystem or disable the SSH publickey subsystem feature in the client configuration to avoid processing attacker‑crafted data.
  • Restrict connections to known, trusted SSH servers and monitor network traffic for unexpected malformed responses or client crashes.

Generated by OpenCVE AI on June 28, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
Title libssh2 - Free of Uninitialized Pointer in publickey List Cleanup
First Time appeared Libssh2
Libssh2 libssh2
Weaknesses CWE-908
CPEs cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*
Vendors & Products Libssh2
Libssh2 libssh2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libssh2 Libssh2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-28T01:32:54.283Z

Reserved: 2026-06-28T00:55:25.426Z

Link: CVE-2026-58051

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T05:00:05Z

Weaknesses
  • CWE-908

    Use of Uninitialized Resource