GHSA-c5f3-hwj2-xp5pHighCVSS 6.5

libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize...

Published
June 28, 2026
Last Modified
June 28, 2026

🔗 CVE IDs covered (1)

📋 Description

libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.

🔗 References (5)