{"id":"JLSEC-2026-663","summary":"libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize...","details":"libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.","modified":"2026-07-11T04:19:53.480075944Z","published":"2026-07-11T04:13:36.542Z","upstream":["CVE-2026-58051","EUVD-2026-39971","GHSA-c5f3-hwj2-xp5p"],"database_specific":{"sources":[{"database_specific":{"status":"Analyzed"},"id":"CVE-2026-58051","imported":"2026-07-10T13:58:54.323Z","modified":"2026-06-30T17:42:04.473Z","published":"2026-06-28T02:16:32.153Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-58051","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58051"},{"html_url":"https://github.com/advisories/GHSA-c5f3-hwj2-xp5p","id":"GHSA-c5f3-hwj2-xp5p","imported":"2026-07-10T13:58:58.999Z","modified":"2026-06-28T03:33:40Z","published":"2026-06-28T03:33:40Z","url":"https://api.github.com/advisories/GHSA-c5f3-hwj2-xp5p"},{"published":"2026-06-28T01:32:54Z","url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-39971","html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-39971","id":"EUVD-2026-39971","imported":"2026-07-10T13:58:55.738Z","modified":"2026-06-29T12:50:00Z"}],"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/advisories/GHSA-c5f3-hwj2-xp5p"},{"type":"WEB","url":"https://github.com/bikini/exploitarium/tree/main/libssh2-publickey-list-calc-poc"},{"type":"WEB","url":"https://github.com/libssh2/libssh2/blob/master/src/publickey.c"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58051"},{"type":"WEB","url":"https://www.vulncheck.com/advisories/libssh2-free-of-uninitialized-pointer-in-publickey-list-cleanup"}],"affected":[{"package":{"name":"LibSSH2_jll","ecosystem":"Julia","purl":"pkg:julia/LibSSH2_jll?uuid=29816b5a-b9ab-546f-933c-edad1886dfa8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.103+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-663.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"}]}