Vulnerability Description
libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc
- https://github.com/libssh2/libssh2/blob/master/src/publickey.c
- https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-pu
FAQ
What is CVE-2026-58051?
CVE-2026-58051 is a vulnerability with a CVSS score of 6.5 (MEDIUM). libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_pu...
How severe is CVE-2026-58051?
CVE-2026-58051 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-58051?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.