Skip to main content

libssh2 CVE-2026-7598

| EUVDEUVD-2026-26722 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-01 VulDB
6.9
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Red Hat
9.1 HIGH
qualitative

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
May 01, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS changed
May 01, 2026 - 22:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Source Code Evidence Fetched
May 01, 2026 - 22:15 vuln.today
Analysis Generated
May 01, 2026 - 22:15 vuln.today
EUVD ID Assigned
May 01, 2026 - 21:46 euvd
EUVD-2026-26722
Analysis Generated
May 01, 2026 - 21:46 vuln.today
Patch released
May 01, 2026 - 21:46 nvd
Patch available
CVE Published
May 01, 2026 - 21:30 nvd
MEDIUM 6.9

DescriptionCVE.org

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

AnalysisAI

Integer overflow in libssh2 up to version 1.11.1 allows remote unauthenticated attackers to cause memory corruption during SSH password authentication. The vulnerability exists in the userauth_password function where inadequate bounds checking on username_len and password_len parameters can trigger integer overflow when calculating buffer sizes, potentially leading to confidentiality breach, integrity compromise, and service disruption. Upstream fix available via GitHub commit 256d04b60d80bf1190e96b0ad1e91b2174d744b1. No active exploitation confirmed (not in CISA KEV), but publicly accessible patch reveals exact exploitation technique.

Technical ContextAI

libssh2 is a widely-used C library implementing the SSH2 protocol, commonly integrated into applications like curl, git, and various file transfer tools. This vulnerability (CWE-190: Integer Overflow) occurs in src/userauth.c during SSH password authentication. The root cause is arithmetic overflow when the userauth_password function sums username_len, password_len, and protocol overhead constants (27, 40, or 44 bytes depending on code path) to allocate packet buffers. If username_len or password_len values approach UINT32_MAX, the addition wraps around to a small positive integer, causing undersized buffer allocation. Subsequent operations writing username and password data into this undersized buffer can corrupt heap metadata or adjacent memory regions. The patch adds explicit overflow checks comparing username_len against (UINT32_MAX - overhead) before arithmetic, and rewrites the conditional from additive form to subtraction-resistant form to prevent wraparound.

RemediationAI

Apply the upstream fix by upgrading to libssh2 versions incorporating commit 256d04b60d80bf1190e96b0ad1e91b2174d744b1 available at https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 and https://github.com/libssh2/libssh2/pull/1858. Note: Upstream fix available as PR/commit; released patched version not independently confirmed at time of analysis - verify with distribution vendors for packaged updates. For systems unable to immediately patch, implement compensating controls by deploying network-layer SSH traffic inspection to reject authentication packets with username or password length fields exceeding reasonable thresholds (recommend 256 bytes for username, 1024 bytes for password). This may break legitimate use cases involving very long credentials but significantly reduces attack surface. Additionally, restrict SSH service exposure to trusted networks via firewall rules, reducing remote attack opportunities. If libssh2 is used in application code, add input validation rejecting username_len or password_len values exceeding 1024 bytes before passing to libssh2 API - note this adds application-layer complexity and may conflict with future legitimate protocol usage.

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2026-55200 CRITICAL POC
9.2 Jun 17

Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_re

CVE-2026-58050 HIGH POC
8.3 Jun 28

Heap buffer overflow in the libssh2 SSH client library (all versions through 1.11.1) lets a malicious or compromised SSH

CVE-2026-58051 HIGH POC
8.3 Jun 28

Free of an uninitialized, attacker-influenceable pointer in libssh2 through 1.11.1 allows a malicious SSH server to corr

CVE-2019-17498 HIGH POC
8.1 Oct 21

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds che

CVE-2019-13115 HIGH POC
8.1 Jul 16

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow t

CVE-2019-3861 CRITICAL
9.1 Mar 25

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value gre

CVE-2019-3860 CRITICAL
9.1 Mar 25

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed

CVE-2019-3858 CRITICAL
9.1 Mar 21

An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from

CVE-2019-3862 CRITICAL
9.1 Mar 21

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exi

CVE-2019-3859 CRITICAL
9.1 Mar 21

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_req

CVE-2019-3857 HIGH
8.8 Mar 25

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SS

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-7598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy