{"id":"CVE-2026-58051","summary":"libssh2 - Free of Uninitialized Pointer in publickey List Cleanup","details":"libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.","modified":"2026-07-08T08:13:48.139421876Z","published":"2026-06-28T01:32:54.283Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-908"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58051.json"},"references":[{"type":"WEB","url":"https://github.com/libssh2/libssh2/blob/master/src/publickey.c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58051.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58051"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup"},{"type":"EVIDENCE","url":"https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libssh2/libssh2","events":[{"introduced":"0"},{"last_affected":"a312b43325e3383c865a87bb1d26cb52e3292641"}],"database_specific":{"cpe":"cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*","source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.11.1"}]}}],"versions":["libssh2-1.11.1","libssh2-1.11.0","libssh2-1.10.0","libssh2-1.9.0","libssh2-1.8.0","libssh2-1.7.0","libssh2-1.6.0","libssh2-1.5.0","libssh2-1.4.3","libssh2-1.4.2","libssh2-1.4.1","libssh2-1.4.0","libssh2-1.3.0","libssh2-1.2.9","libssh2-1.2.8","libssh2-1.2.7","libssh2-1.2.6","libssh2-1.2.5","libssh2-1.2.4","libssh2-1.2.3","libssh2-1.2.1","libssh2-1.2","RELEASE.1.1","RELEASE.1.0","RELEASE.0.18","RELEASE.0.17","RELEASE.0.16","RELEASE.0.15","beforenb2-0.14","beforenb-0.14","RELEASE.0.14","RELEASE.0.13","RELEASE.0.12","RELEASE.0.11","RELEASE.0.10","RELEASE.0.8","RELEASE.0.7","RELEASE.0.6","RELEASE.0.5","RELEASE.0.3","RELEASE.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58051.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"}]}