Skip to main content

libssh2 EUVDEUVD-2026-39970

| CVE-2026-58050 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-28 VulnCheck GHSA-mf77-5hj2-98w9
8.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Network-reachable from a malicious server with no client credentials (PR:N), but AC:H because only 32-bit builds overflow and the victim must connect to the attacker; impact is mainly availability (heap corruption).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 28, 2026 - 02:30 vuln.today
CVSS changed
Jun 28, 2026 - 02:22 NVD
7.0 (HIGH) 8.3 (HIGH)

DescriptionCVE.org

libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.

AnalysisAI

Heap buffer overflow in the libssh2 SSH client library (all versions through 1.11.1) lets a malicious or compromised SSH server corrupt memory in any connecting client on 32-bit platforms. The publickey subsystem reads an attacker-supplied 32-bit attribute count and multiplies it by the attribute structure size without bounds checking, so the allocation integer-overflows to an undersized buffer that the parsing loop then writes past. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure 32-bit client to malicious SSH server
Delivery
Client enters publickey subsystem exchange
Exploit
Server sends oversized 32-bit attribute count
Execution
Allocation integer-overflows to tiny buffer
Persist
Parsing loop writes past heap allocation
Impact
Heap corruption crashes or hijacks client

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim libssh2 client (through 1.11.1) to initiate a connection to an attacker-controlled or compromised SSH server and to enter the publickey subsystem code path, and the client must be built for a 32-bit architecture so that num_attrs * sizeof(libssh2_publickey_attribute) overflows 32-bit size_t. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N, VC:L/VI:L/VA:H, base 8.3) captures the key tension: the attack is network-reachable and needs no privileges, but AC:H reflects real constraints - the victim client must connect to an attacker-controlled SSH server and the target must be a 32-bit build for the multiplication to overflow, which excludes the now-dominant 64-bit deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious SSH server (or compromises one) and waits for or lures a 32-bit libssh2 client to connect, for example an automated backup or sync job that uses libcurl SCP. During the publickey exchange the server returns a crafted response with a huge 32-bit attribute count that overflows the allocation, and the subsequent attribute-parsing loop writes past the undersized heap buffer, crashing the client or potentially corrupting heap memory for code execution. …
Remediation No vendor-released patched version is identified in the supplied data, so monitor the libssh2 project and the VulnCheck advisory (https://www.vulncheck.com/advisories/libssh2-integer-overflow-in-publickey-subsystem-attribute-allocation) for a tagged release that adds bounds checking to the num_attrs allocation, and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all 32-bit systems using libssh2 versions through 1.11.1, particularly SSH clients and related applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

libssh2
Release Status Fixed Version Urgency
bullseye vulnerable 1.9.0-2+deb11u1 -
bookworm vulnerable 1.10.0-3 -
trixie vulnerable 1.11.1-1 -
trixie (security) vulnerable 1.11.1-1+deb13u1 -
forky, sid vulnerable 1.11.1-4 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-39970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy