CVE-2026-58051
Received Received - Intake

libssh2 Publickey List Uninitialized Memory Use

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulnCheck

Description
libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-58051
EUVD
EUVD-2026-39971

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
libssh2 libssh2 1.11.1
libssh2 libssh2 to 1.11.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58051 is a vulnerability in the libssh2 library's publickey subsystem where the publickey list grows without zero-initializing new entries before parsing them. If parsing fails, the cleanup function may operate on uninitialized or attacker-controlled pointers, leading to memory corruption.

Specifically, a malicious SSH server can send malformed responses that trigger this flaw, causing the client to free uninitialized or attacker-influenced memory pointers during cleanup.

Exploits include two main paths: on Win32, an integer overflow causes a buffer overflow allowing arbitrary code execution; on Win64, a malformed response triggers premature freeing of attacker-shaped buffers, enabling execution of arbitrary code through heap manipulation.

The vulnerability affects multiple functions related to list growth, attribute allocation, parsing, and cleanup in the publickey subsystem.

Impact Analysis

This vulnerability can lead to undefined behavior such as application crashes, memory corruption, or even arbitrary code execution on the client using libssh2 when connecting to a malicious SSH server.

An attacker controlling an SSH server can exploit malformed publickey subsystem responses to manipulate memory pointers during cleanup, potentially executing malicious code or causing denial of service.

The CVSS v4 score of 8.3 indicates a high impact, particularly affecting availability and potentially allowing remote code execution without user interaction or privileges.

Detection Guidance

This vulnerability involves malformed responses from a malicious SSH server targeting the libssh2 client's publickey subsystem. Detection would involve monitoring SSH client interactions for unusual or malformed publickey subsystem responses that could trigger the vulnerability.

Proof-of-concept exploits and test cases are available that demonstrate the vulnerability through crafted SSH transport scenarios. Using these PoCs in a controlled environment can help detect if your libssh2 client is vulnerable.

Specific commands are not provided in the available resources, but you can test your system by running the proof-of-concept code from Resource 1, which includes exploit code targeting the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating libssh2 to a version later than 1.11.1 where the vulnerability is fixed by zero-initializing new list entries and rejecting oversized attribute counts.

If updating is not immediately possible, avoid connecting to untrusted or potentially malicious SSH servers that might exploit the malformed publickey subsystem responses.

Additionally, monitoring and filtering SSH traffic to detect and block malformed publickey subsystem responses can reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart