Skip to content
CVSS 7.3 · HIGH

CVE-2026-7598

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

View on NVD

Analysis

A vulnerability in libssh2, a library used by many applications to handle SSH connections, involves an integer overflow in password authentication. This could potentially allow a malicious SSH server to cause memory corruption or a crash in client-side applications like Git clients or custom deployment scripts.

Severity

Score: 7.3(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: LOW
Weakness (CWE): CWE-189CWE-190

EPSS

Probability of exploitation (next 30 days): 0.0005 (0.0%)
Percentile: 14.1%
EPSS: 2026-05-06

Affects

libssh2:libssh2

Technical description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Published: 5/1/2026, 10:16:16 PM
Last modified: 5/7/2026, 1:47:08 AM

References

HomeEventsBlogResourcesTeam