Vulnerability Description
libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc
- https://github.com/libssh2/libssh2/blob/master/src/publickey.c
- https://www.vulncheck.com/advisories/libssh2-integer-overflow-in-publickey-subsy
FAQ
What is CVE-2026-58050?
CVE-2026-58050 is a vulnerability with a CVSS score of 7.0 (HIGH). libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bou...
How severe is CVE-2026-58050?
CVE-2026-58050 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-58050?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.