CVE-2026-58050 - libssh2 publickey attribute count integer overflow
CVE-2026-58050 - libssh2 publickey attribute count integer overflow - High - 2026-06-28
Business risk: A malicious SSH server can corrupt memory in clients, deployment agents, or embedded devices that connect outbound.
Root cause: An attacker-controlled 32-bit attribute count is multiplied by sizeof(attribute) without overflow checking.
Affected versions
- Vulnerable: libssh2 through 1.11.1 on 32-bit platforms using the publickey subsystem against a malicious SSH server.
- Fixed / safe target: Upgrade/backport a fix that bounds attribute counts and checks multiplication overflow before allocation.
- CVSS: 7.0 (High)
Exact vulnerable code pattern
uint32_t num_attrs = _libssh2_ntohu32(buf);
attrs = LIBSSH2_ALLOC(session, num_attrs * sizeof(libssh2_publickey_attribute));
for (i = 0; i < num_attrs; i++) { attrs[i] = parse_attr(packet); }
Fixed / mitigated code pattern
uint32_t num_attrs = _libssh2_ntohu32(buf);
if (num_attrs > SIZE_MAX / sizeof(libssh2_publickey_attribute)) {
return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
}
attrs = LIBSSH2_ALLOC(session, (size_t)num_attrs * sizeof(*attrs));
Step-by-step integration guide
- Inventory libssh2 package and vendored-source versions.
- Upgrade or backport checked allocation.
- Rebuild curl/git/agent binaries that statically link libssh2.
- Add malicious publickey-subsystem response tests or fuzz cases.
- Allow-list SSH servers contacted by automation.
Alternative mitigations
- Avoid connecting vulnerable clients to untrusted SSH servers.
- Disable publickey-subsystem operations where not required.
- Run affected clients with process sandboxing while backports are prepared.
Detection signature
rg -n "libssh2_publickey|libssh2|publickey.c|LIBSSH2_VERSION|ssh2" .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-58050: libssh2 publickey attribute count integer overflow.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-58050 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, libssh2, ssh, integer-overflow, heap-overflow, sellable_to_infrastructure, zero_day_gold, high
- Affected tech stack: c/cpp
- Revenue tags: sellable_to_infrastructure, zero_day_gold