<Vulnerability name="CVE-2026-58051">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-28T01:32:54</PublicDate>
    <Bugzilla id="2493950" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493950" xml:lang="en:us">
libssh2: libssh2: Denial of service or information disclosure via malformed SSH publickey response
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-824</CWE>
    <Details xml:lang="en:us" source="Mitre">
libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw in libssh2 allows a malicious SSH server to send a malformed public key response, triggering an invalid memory cleanup. This can cause the connecting client application to crash or leak information.
    </Details>
    <Statement xml:lang="en:us">
Moderate: This flaw in libssh2 can lead to a denial of service or information disclosure in client applications when connecting to a malicious SSH server. The vulnerability arises from improper handling of uninitialized memory during public key list processing, which an attacker can trigger with a specially crafted response. Exploitation requires active interaction with a compromised or malicious server, limiting the attack surface to untrusted connections.

Note: Red Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, ensure your applications connect only to trusted and verified SSH servers. For added protection, maintain standard system memory defenses to automatically intercept and safely terminate any processes corrupted by an unexpected server error.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>libssh2</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>libssh2</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libssh2</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-58051
https://nvd.nist.gov/vuln/detail/CVE-2026-58051
https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc
https://github.com/libssh2/libssh2/blob/master/src/publickey.c
https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup
    </References>
</Vulnerability>