Skip to main content

libssh2 CVE-2026-58051

| EUVDEUVD-2026-39971 HIGH
Use of Uninitialized Resource (CWE-908)
2026-06-28 VulnCheck GHSA-c5f3-hwj2-xp5p
8.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable but victim must connect to a malicious server and attacker must shape an uninitialized pointer (AC:H); no auth (PR:N); primary impact is crash/DoS (A:H) with limited integrity, no confidentiality (C:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 28, 2026 - 02:30 vuln.today
Severity Changed
Jun 28, 2026 - 02:22 NVD
MEDIUM HIGH
CVSS changed
Jun 28, 2026 - 02:22 NVD
6.5 (MEDIUM) 8.3 (HIGH)

DescriptionCVE.org

libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.

AnalysisAI

Free of an uninitialized, attacker-influenceable pointer in libssh2 through 1.11.1 allows a malicious SSH server to corrupt memory in any connecting client that uses the publickey subsystem. The publickey list is grown via SSH2_REALLOC without zero-initializing new entries, so a server-induced parse failure that reaches the cleanup path causes libssh2_publickey_list_free to operate on an uninitialized attrs pointer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure client to malicious SSH server
Delivery
Client negotiates publickey subsystem
Exploit
Server sends malformed publickey response
Execution
Parse failure reaches cleanup path
Persist
Free of uninitialized attrs pointer
Impact
Client memory corruption or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is a libssh2 client (version ≤ 1.11.1) that initiates an SSH connection to a server the attacker controls or has compromised, and that the connection uses the publickey subsystem so the vulnerable list-growth code in publickey.c is exercised. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine, prioritize-worthy client-side risk because exploitation is network-reachable with no authentication (PR:N, UI:N) and public PoC code exists, but several signals temper it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up or compromises an SSH server and lures or coerces a libssh2-based client (for example an automation job, sync tool, or appliance) into connecting and negotiating the publickey subsystem. The server returns a deliberately malformed publickey response that forces a parse failure into the cleanup path, causing the client to free an uninitialized attrs pointer; publicly available PoC code demonstrates triggering this calc/cleanup flaw. …
Remediation No vendor-released patched version is identified in the provided data; the references point to the upstream source file (src/publickey.c) and the VulnCheck advisory rather than a tagged release, so the released patched version is not independently confirmed - track the VulnCheck advisory (https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup) and the libssh2 project for a fixed tag above 1.11.1 and upgrade as soon as it ships, then rebuild and redeploy all downstream software linked against libssh2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all applications and systems using libssh2 versions 1.11.1 and earlier; audit SSH server connections and restrict to trusted internal infrastructure only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

libssh2
Release Status Fixed Version Urgency
bullseye vulnerable 1.9.0-2+deb11u1 -
bookworm vulnerable 1.10.0-3 -
trixie vulnerable 1.11.1-1 -
trixie (security) vulnerable 1.11.1-1+deb13u1 -
forky, sid vulnerable 1.11.1-4 -
(unstable) fixed (unfixed) -

Share

CVE-2026-58051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy