Public Key List Vulnerability in libssh2 by the Vendor libssh2
CVE-2026-58051

8.3HIGH

Key Information:

Vendor

Libssh2

Status
Vendor
CVE Published:
28 June 2026

What is CVE-2026-58051?

The libssh2 library, specifically version 1.11.1 and earlier, contains a vulnerability related to its handling of public key lists. During the allocation of new entries in the public key list, the library does not adequately zero-initialize these entries. Consequently, if a connection is made to a malicious SSH server that provides a malformed response, this can result in a parse failure. Such a failure leads to a scenario where cleanup functions operate on an uninitialized entry, potentially allowing an attacker to influence and exploit pointers in the connecting libssh2 client.

Affected Version(s)

libssh2 0 <= 1.11.1

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ashdfrkl
.