libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libssh2 | Libssh2 | * | 1.11.1 (including) |
| Red Hat Hardened Images | RedHat | libssh2-main-1.11.1-8.hum1 | * |
| Libssh2 | Ubuntu | devel | * |
| Libssh2 | Ubuntu | questing | * |
| Libssh2 | Ubuntu | resolute | * |
| Libssh2 | Ubuntu | upstream | * |