{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/libssh2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7598"}],"_cs_exploited":false,"_cs_products":["libssh2 \u003c= 1.11.1"],"_cs_severities":["medium"],"_cs_tags":["cve","integer_overflow","libssh2"],"_cs_type":"advisory","_cs_vendors":["libssh2"],"content_html":"\u003cp\u003eA remote integer overflow vulnerability has been identified in libssh2, a library implementing the SSH2 protocol. The vulnerability affects versions up to and including 1.11.1. The root cause lies in the \u003ccode\u003euserauth_password\u003c/code\u003e function within the \u003ccode\u003esrc/userauth.c\u003c/code\u003e file. By manipulating the \u003ccode\u003eusername_len\u003c/code\u003e and \u003ccode\u003epassword_len\u003c/code\u003e arguments, an attacker can trigger an integer overflow. Successful exploitation could lead to denial of service or potentially remote code execution. The patch to address this vulnerability is identified as \u003ccode\u003e256d04b60d80bf1190e96b0ad1e91b2174d744b1\u003c/code\u003e. Defenders should apply this patch to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable libssh2 server or application.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an SSH connection to the target.\u003c/li\u003e\n\u003cli\u003eThe client begins the SSH authentication process.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SSH password authentication request.\u003c/li\u003e\n\u003cli\u003eThe request includes specially crafted \u003ccode\u003eusername_len\u003c/code\u003e and \u003ccode\u003epassword_len\u003c/code\u003e values designed to cause an integer overflow in the \u003ccode\u003euserauth_password\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003euserauth_password\u003c/code\u003e function processes the malicious lengths, resulting in an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow leads to memory corruption or other unexpected behavior.\u003c/li\u003e\n\u003cli\u003eThe corrupted memory can be exploited to cause a denial-of-service condition, or potentially, remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to a denial-of-service condition, disrupting services relying on the affected libssh2 library. In more severe scenarios, remote code execution might be possible, granting the attacker control over the affected system. While specific victim counts are unavailable, any system using a vulnerable version of libssh2 is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch identified as \u003ccode\u003e256d04b60d80bf1190e96b0ad1e91b2174d744b1\u003c/code\u003e to remediate the integer overflow vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect libssh2 Integer Overflow Attempt\u0026rdquo; to identify potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually large username or password lengths during SSH authentication to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of libssh2 later than 1.11.1.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T22:16:16Z","date_published":"2026-05-01T22:16:16Z","id":"/briefs/2026-05-libssh2-overflow/","summary":"An integer overflow vulnerability exists in libssh2 versions up to 1.11.1 within the userauth_password function of src/userauth.c, which can be triggered remotely by manipulating username_len/password_len arguments.","title":"libssh2 Integer Overflow Vulnerability (CVE-2026-7598)","url":"https://feed.craftedsignal.io/briefs/2026-05-libssh2-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Libssh2","version":"https://jsonfeed.org/version/1.1"}