libssh2 Vulnerability CVE-2026-58050 PoC Code Released

libssh2 Vulnerability CVE-2026-58050 Gets Public PoC Exploit

Do Son June 28, 2026 2 minutes read

At a glance

CVE: CVE-2026-58050
CVSS: 8.3 (High · CVSSv4)
Product: libssh2
Affected: ≤ 1.11.1
Impact: libssh2 - Integer Overflow in publickey Subsystem Attribute Allocation
Status: No confirmed exploitation yet
EPSS: 0.3% (30-day)
Action: Upgrade libssh2 to a fixed build as soon as one is available!

TL;DR

Researchers publicly disclosed a libssh2 vulnerability tracked as CVE-2026-58050. The flaw lets a malicious SSH server corrupt the heap of a connecting client. Proof-of-concept exploit code is already public, and the bug scores 8.3 under CVSS v4.

Why It Matters

libssh2 powers SSH inside many tools, libraries, and embedded devices. It ships in file transfer clients, automation frameworks, and language bindings. Therefore, this libssh2 vulnerability reaches far beyond one product. The bug attacks the client, not the server. So anyone who connects to a hostile or hijacked SSH server is at risk. A man-in-the-middle attacker who can pose as the server fits the same profile. It also joins a wave of libssh2 flaws fixed this June, including the critical CVE-2026-55200. Because the exploit is public, defenders should treat patching as urgent.

How the Attack Works

The flaw lives in the publickey subsystem parser. libssh2 reads a 32-bit attribute count from a server response. It then multiplies that count by a struct size to size a buffer. On 32-bit platforms, that math overflows to a tiny allocation. As a result, the attribute loop writes past the buffer and corrupts the heap. VulnCheck’s advisory details the integer overflow, while the public proof-of-concept demonstrates code execution on Windows builds. The root cause is a missing bounds check, classed as CWE-190. Reliable exploitation is not trivial, which is why scorers mark the attack complexity as high.

Affected Versions

This libssh2 vulnerability affects all versions through 1.11.1. The 32-bit overflow path is the main concern, since the multiplication wraps there.

Patch and Mitigation

Upgrade libssh2 to a fixed build as soon as one is available for your platform. The fix adds a bounds check on the attribute count and zeroes new list entries. Rebuild every app and container that bundles the library, not just the main service. Until you patch, restrict outbound SSH to trusted, allow-listed hosts. No in-the-wild exploitation has been confirmed. Still, the public proof-of-concept lowers the bar for attackers, so move quickly.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.