{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-58051", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-06-28T00:55:25.426Z", "datePublished": "2026-06-28T01:32:54.283Z", "dateUpdated": "2026-06-29T12:50:00.766Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-28T01:32:54.283Z"}, "datePublic": "2026-06-25T00:00:00.000Z", "title": "libssh2 - Free of Uninitialized Pointer in publickey List Cleanup", "descriptions": [{"lang": "en", "value": "libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use of Uninitialized Resource", "cweId": "CWE-908", "type": "CWE"}]}], "affected": [{"vendor": "libssh2", "product": "libssh2", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "versionType": "semver", "lessThanOrEqual": "1.11.1"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.11.1"}]}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "references": [{"url": "https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc", "name": "Proof of Concept", "tags": ["exploit", "third-party-advisory"]}, {"url": "https://github.com/libssh2/libssh2/blob/master/src/publickey.c", "name": "src/publickey.c", "tags": ["product"]}, {"name": "VulnCheck Advisory: libssh2 - Free of Uninitialized Pointer in publickey List Cleanup", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup"}], "credits": [{"lang": "en", "value": "ashdfrkl", "type": "finder"}], "x_generator": {"engine": "vulncheck-endgame"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-29T12:49:30.651264Z", "id": "CVE-2026-58051", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T12:50:00.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-58051", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-29T12:49:30.651264Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T12:49:52.395Z"}}], "cna": {"title": "libssh2 - Free of Uninitialized Pointer in publickey List Cleanup", "credits": [{"lang": "en", "type": "finder", "value": "ashdfrkl"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "libssh2", "product": "libssh2", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.11.1"}], "defaultStatus": "affected"}], "datePublic": "2026-06-25T00:00:00.000Z", "references": [{"url": "https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc", "name": "Proof of Concept", "tags": ["exploit", "third-party-advisory"]}, {"url": "https://github.com/libssh2/libssh2/blob/master/src/publickey.c", "name": "src/publickey.c", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup", "name": "VulnCheck Advisory: libssh2 - Free of Uninitialized Pointer in publickey List Cleanup", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck-endgame"}, "descriptions": [{"lang": "en", "value": "libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-908", "description": "Use of Uninitialized Resource"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.11.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-28T01:32:54.283Z"}}}, "cveMetadata": {"cveId": "CVE-2026-58051", "state": "PUBLISHED", "dateUpdated": "2026-06-29T12:50:00.766Z", "dateReserved": "2026-06-28T00:55:25.426Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-06-28T01:32:54.283Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "libssh2: libssh2: Denial of service or information disclosure via malformed SSH publickey response", "id": "2493950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493950"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.", "A flaw in libssh2 allows a malicious SSH server to send a malformed public key response, triggering an invalid memory cleanup. This can cause the connecting client application to crash or leak information."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure your applications connect only to trusted and verified SSH servers. For added protection, maintain standard system memory defenses to automatically intercept and safely terminate any processes corrupted by an unexpected server error."}, "name": "CVE-2026-58051", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libssh2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libssh2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "impact": "moderate", "package_name": "libssh2", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-28T01:32:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-58051\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-58051\nhttps://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc\nhttps://github.com/libssh2/libssh2/blob/master/src/publickey.c\nhttps://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup"], "statement": "Moderate: This flaw in libssh2 can lead to a denial of service or information disclosure in client applications when connecting to a malicious SSH server. The vulnerability arises from improper handling of uninitialized memory during public key list processing, which an attacker can trigger with a specially crafted response. Exploitation requires active interaction with a compromised or malicious server, limiting the attack surface to untrusted connections.\nNote: Red Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.11.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "libssh2", "source": "cna", "vendor": "libssh2"}, "product": "libssh2", "vendor": "libssh2"}], "created": "2026-06-28T05:00:05.530084+00:00", "updated": "2026-06-30T02:45:05.227096+00:00", "vendors": ["libssh2", "libssh2$PRODUCT$libssh2"]}