HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7598Published Modified CNA VulDB

CVE-2026-7598: libssh2 userauth.c userauth_password integer overflow

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer overflow vulnerability exists in the userauth_password function within src/userauth.c of libssh2 versions up to and including 1.11.1. The flaw is reachable over the network without any authentication or user interaction, meaning an unauthenticated remote attacker can trigger it by sending a malformed username_len or password_len value during the SSH authentication handshake. Successful exploitation enables an attacker to corrupt data integrity and crash the affected service. No upstream fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle libssh2 directly. Any image containing an affected libssh2 version (1.11.0 or 1.11.1) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 Critical and surfaces it accordingly within each customer environment, weighted against that environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the libssh2 advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable function is exposed over the network during the SSH authentication handshake, so an attacker must be able to reach the service on its SSH port.

  • AuthenticationNot required

    The overflow is triggered before any credential is validated, so no account or privilege level is needed to send the malformed input.

  • Victim interactionNot required

    No user action is needed; the attacker initiates the malformed authentication request entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

Blast Radius

  • An attacker can overwrite memory structures in the libssh2 process, corrupting persisted or in-flight SSH session state and any data flowing through it.
  • Integrity of authentication logic is broken, allowing an attacker to manipulate how credentials or session parameters are processed.
  • The integer overflow can cause the process to crash, taking down any application or service that depends on the libssh2 connection for availability.
  • Any container or service that uses libssh2 for SSH client functionality (automated deployments, file transfers, remote command execution) is exposed to the same impact.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked at Critical severity and matched against all images in connected customer registries and pipelines. Because no patched version of libssh2 exists yet, the recommended immediate actions for affected environments include isolating workloads that make outbound or inbound SSH connections via libssh2 using network policy, restricting which external hosts can initiate SSH authentication to those services, and gating any feature that relies on libssh2 userauth behind an application-level flag where feasible. HarborGuard will re-evaluate the advisory on every ingest cycle; the moment the libssh2 maintainers publish a fix (referenced in the advisory as commit 256d04b60d80bf1190e96b0ad1e91b2174d744b1), a patched-image rebuild will become available automatically. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without requiring manual steps.

See how HarborGuard automates this
Affected packages
  • n/a / libssh2
    1.11.0 · 1.11.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
References