Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable from a malicious server with no client credentials (PR:N), but AC:H because only 32-bit builds overflow and the victim must connect to the attacker; impact is mainly availability (heap corruption).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.
AnalysisAI
Heap buffer overflow in the libssh2 SSH client library (all versions through 1.11.1) lets a malicious or compromised SSH server corrupt memory in any connecting client on 32-bit platforms. The publickey subsystem reads an attacker-supplied 32-bit attribute count and multiplies it by the attribute structure size without bounds checking, so the allocation integer-overflows to an undersized buffer that the parsing loop then writes past. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim libssh2 client (through 1.11.1) to initiate a connection to an attacker-controlled or compromised SSH server and to enter the publickey subsystem code path, and the client must be built for a 32-bit architecture so that num_attrs * sizeof(libssh2_publickey_attribute) overflows 32-bit size_t. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N, VC:L/VI:L/VA:H, base 8.3) captures the key tension: the attack is network-reachable and needs no privileges, but AC:H reflects real constraints - the victim client must connect to an attacker-controlled SSH server and the target must be a 32-bit build for the multiplication to overflow, which excludes the now-dominant 64-bit deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious SSH server (or compromises one) and waits for or lures a 32-bit libssh2 client to connect, for example an automated backup or sync job that uses libcurl SCP. During the publickey exchange the server returns a crafted response with a huge 32-bit attribute count that overflows the allocation, and the subsequent attribute-parsing loop writes past the undersized heap buffer, crashing the client or potentially corrupting heap memory for code execution. … |
| Remediation | No vendor-released patched version is identified in the supplied data, so monitor the libssh2 project and the VulnCheck advisory (https://www.vulncheck.com/advisories/libssh2-integer-overflow-in-publickey-subsystem-attribute-allocation) for a tagged release that adds bounds checking to the num_attrs allocation, and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all 32-bit systems using libssh2 versions through 1.11.1, particularly SSH clients and related applications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_re
Free of an uninitialized, attacker-influenceable pointer in libssh2 through 1.11.1 allows a malicious SSH server to corr
Out-of-bounds heap read in libssh2 through 1.11.1 enables a malicious SFTP server or man-in-the-middle attacker to leak
Pre-authentication denial of service in libssh2 through 1.11.1 allows a malicious SSH server to pin a connecting client'
Integer overflow in libssh2 up to version 1.11.1 allows remote unauthenticated attackers to cause memory corruption duri
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.9.0-2+deb11u1 | - |
| bookworm | vulnerable | 1.10.0-3 | - |
| trixie | vulnerable | 1.11.1-1 | - |
| trixie (security) | vulnerable | 1.11.1-1+deb13u1 | - |
| forky, sid | vulnerable | 1.11.1-4 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39970
GHSA-mf77-5hj2-98w9