2464597 – (CVE-2026-7598) CVE-2026-7598 libssh2: integer overflow via large username or password arguments

Bug 2464597 (CVE-2026-7598) - CVE-2026-7598 libssh2: integer overflow via large username or password arguments

Summary: CVE-2026-7598 libssh2: integer overflow via large username or password arguments

Keywords:
Status:	NEW
Alias:	CVE-2026-7598
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2468328 2468329 2468333 2468335 2468330 2468331 2468332 2468334
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 22:01 UTC by OSIDB Bzimport
Modified:	2026-05-08 19:21 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-01 22:01:19 UTC

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

Note You need to log in before you can comment on or make changes to this bug.