CVE-2026-7598: libssh2 userauth.c userauth_password integer overflow

Published May 1, 2026
·
Updated

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Affected Software

4 affected componentsFixes available
libssh2 libssh2<=1.11.1
Microsoft azl3 libssh2 1.11.1-1
Patch available
libssh2 libssh2<=1.11.1
Microsoft azl3 libssh2 1.11.1-2
Patch available

Remediation

Patch Available

https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1

Event History

May 1, 2026
CVE Published
via MITRE·09:30 PM
Data Sourced
via MITRE·09:30 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
May 3, 2026
Data Sourced
via Microsoft·08:01 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:01 AM
DescriptionSeverity
Updated
via Microsoft·08:01 AM
Affected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-7598?

CVE-2026-7598 is classified as a high severity vulnerability due to its potential for leading to remote code execution.

2

How do I fix CVE-2026-7598?

To fix CVE-2026-7598, upgrade libssh2 to version 1.11.2 or later where the vulnerability is addressed.

3

What is the impact of CVE-2026-7598 on affected systems?

The impact of CVE-2026-7598 can result in unauthorized access or control over systems using vulnerable versions of libssh2.

4

Which versions of libssh2 are affected by CVE-2026-7598?

CVE-2026-7598 affects all versions of libssh2 up to and including version 1.11.1.

5

What does CVE-2026-7598 exploit in libssh2?

CVE-2026-7598 exploits an integer overflow in the userauth_password function due to improper handling of username and password lengths.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203