High severity7.3NVD Advisory· Published May 1, 2026· Updated May 7, 2026

CVE-2026-7598

Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Affected products

Libssh2/Libssh2references2 versions
(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*range: <=1.11.1

Patches

256d04b60d80

userauth.c: username_len bounds checking (#1858)

https://github.com/libssh2/libssh2Will CosgroveApr 13, 2026via nvd-ref

commit PR #1858

1 file changed · +12 −1

src/userauth.c+12 −1 modified

@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
         memset(&session->userauth_list_packet_requirev_state, 0,
                sizeof(session->userauth_list_packet_requirev_state));
 
+        if(username_len > UINT32_MAX - 27) {
+            _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+                           "username_len out of bounds");
+            return NULL;
+        }
+
         session->userauth_list_data_len = username_len + 27;
 
         if(session->userauth_list_data) {
@@ -316,6 +322,11 @@ userauth_password(LIBSSH2_SESSION *session,
          * 40 = packet_type(1) + username_len(4) + service_len(4) +
          * service(14)"ssh-connection" + method_len(4) + method(8)"password" +
          * chgpwdbool(1) + password_len(4) */
+        if(username_len > UINT32_MAX - 40) {
+            return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+                                  "username_len out of bounds");
+        }
+
         session->userauth_pswd_data_len = username_len + 40;
 
         session->userauth_pswd_data0 =
@@ -456,7 +467,7 @@ userauth_password(LIBSSH2_SESSION *session,
                         }
 
                         /* basic data_len + newpw_len(4) */
-                        if(username_len + password_len + 44 <= UINT_MAX) {
+                        if(username_len <= UINT32_MAX - password_len - 44) {
                             session->userauth_pswd_data_len =
                                 username_len + password_len + 44;
                             s = session->userauth_pswd_data =

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1nvdPatch
vuldb.com/submit/805564nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/360555nvdThird Party AdvisoryVDB Entry
github.com/libssh2/libssh2/pull/1858nvdIssue Tracking
vuldb.com/vuln/360555/ctinvdPermissions RequiredVDB Entry

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000