libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation numattrs * sizeof(libssh2publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.
{
"sources": [
{
"imported": "2026-07-10T13:58:54.300Z",
"html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58050",
"database_specific": {
"status": "Analyzed"
},
"published": "2026-06-28T02:16:32.017Z",
"id": "CVE-2026-58050",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-58050",
"modified": "2026-06-30T20:27:36.860Z"
},
{
"imported": "2026-07-10T13:59:00.465Z",
"id": "GHSA-mf77-5hj2-98w9",
"url": "https://api.github.com/advisories/GHSA-mf77-5hj2-98w9",
"published": "2026-06-28T03:33:40Z",
"html_url": "https://github.com/advisories/GHSA-mf77-5hj2-98w9",
"modified": "2026-06-28T03:33:43Z"
},
{
"imported": "2026-07-10T13:58:55.761Z",
"html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-39970",
"id": "EUVD-2026-39970",
"published": "2026-06-28T01:32:53Z",
"url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-39970",
"modified": "2026-06-29T12:27:17Z"
}
],
"license": "CC-BY-4.0"
}