CVE-2026-58050 | libssh2 through 1.11.1 reads an attacker-controlled 32-bit a… | CVSS 7.0 HIGH

Description

libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.

Metadata

CVE ID: CVE-2026-58050
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-28 00:55 UTC
Published: 2026-06-28 01:32 UTC
Last updated: 2026-06-28 01:32 UTC
Primary CWE: CWE-190
Integer Overflow or Wraparound
Vendor / Product: libssh2 / libssh2
Sources: cve.org · NVD

Severity & Metrics

7.0 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Affected products (1)

Vendor	Product	Platform	Versions
libssh2	libssh2	—	0 ≤ 1.11.1

Weakness (CWE)

CWE	Source	Description
CWE-190	cna	Integer Overflow or Wraparound

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.3	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
7.0	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

References (3)

Proof of Concept https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc
src/publickey.c https://github.com/libssh2/libssh2/blob/master/src/publickey.c
VulnCheck Advisory: libssh2 - Integer Overflow in publickey Subsystem Attribute Allocation https://www.vulncheck.com/advisories/libssh2-integer-overflow-in-publickey-subsystem-attribute-allocation