CVE-2026-7598

Published: May 6, 2026Last modified: May 8, 2026

Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Severity score breakdown

Parameter	Value
Base score	7.3
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	LOW
Integrity impact	LOW
Availability impact	LOW
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	libssh2	Fixed (1.11.1-r1)
	25 LTS	libssh2	Fixed (1.11.1-r1)
	Stream	libssh2	Fixed (1.11.1-r2)

References

https://github.com/libssh2/libssh2/
https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
https://github.com/libssh2/libssh2/pull/1858
https://vuldb.com/submit/805564
https://vuldb.com/vuln/360555
https://vuldb.com/vuln/360555/cti