NIXPKGS-2026-1366

GitHub issue published on

Permalink CVE-2026-7598

7.3 HIGH

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

updated 1 day, 15 hours ago by @LeSuisse Activity log

Created suggestion 2 days ago
@LeSuisse ignored
3 packages
- haskellPackages.libssh2
- haskellPackages.libssh2-conduit
- tests.pkg-config.defaultPkgConfigPackages.libssh2
1 day, 16 hours ago
@LeSuisse ignored
4 references
1 day, 16 hours ago
@LeSuisse accepted 1 day, 16 hours ago
@LeSuisse published on GitHub 1 day, 15 hours ago

libssh2 userauth.c userauth_password integer overflow

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.

References

https://github.com/libssh2/libssh2/pull/1858 patchissue-tracking
https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d74… patch

Ignored references (4)

Submit #805564 | libssh2 <= 1.11.1 Integer Overflow third-party-advisory
https://github.com/libssh2/libssh2/ product
VDB-360555 | libssh2 userauth.c userauth_password integer overflow vdb-entrytechnical-description
VDB-360555 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

libssh2

==1.11.0
==1.11.1

Matching in nixpkgs

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

nixos-unstable 1.11.1
- nixpkgs-unstable 1.11.1
- nixos-unstable-small 1.11.1
nixos-25.11 1.11.1
- nixos-25.11-small 1.11.1
- nixpkgs-25.11-darwin 1.11.1

Ignored packages (3)

pkgs.haskellPackages.libssh2

FFI bindings to libssh2 SSH2 client library (http://libssh2.org/)

nixos-unstable 0.2.0.9-unstable-2025-04-03
- nixpkgs-unstable 0.2.0.9-unstable-2025-04-03
- nixos-unstable-small 0.2.0.9-unstable-2025-04-03
nixos-25.11 0.2.0.9-unstable-2025-04-03
- nixos-25.11-small 0.2.0.9-unstable-2025-04-03
- nixpkgs-25.11-darwin 0.2.0.9-unstable-2025-04-03

pkgs.haskellPackages.libssh2-conduit

Conduit wrappers for libssh2 FFI bindings (see libssh2 package)

nixos-unstable 0.2.1
- nixpkgs-unstable 0.2.1
- nixos-unstable-small 0.2.1
nixos-25.11 0.2.1
- nixos-25.11-small 0.2.1
- nixpkgs-25.11-darwin 0.2.1

pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2

Test whether libssh2-1.11.1 exposes pkg-config modules libssh2

nixos-unstable libssh2
- nixpkgs-unstable libssh2
- nixos-unstable-small libssh2
nixos-25.11 libssh2
- nixos-25.11-small libssh2
- nixpkgs-25.11-darwin libssh2

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1366