OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • libssh2
  • heap
  • publickey
  • exploitarium

news

libssh2 Publickey List Parser Calc PoCs

Win32 attrs allocation wrap and Win64 cleanup arbitrary-free chains in publickey list fetch — live SSH session calc replay included.

Summary

Win32 attrs allocation wrap and Win64 cleanup arbitrary-free chains in publickey list fetch — live SSH session calc replay included. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetlibssh2 master @ e75b4bae3c68 (2026-06-24)
Primitivenum_attrs multiply wrap + malformed version/publickey list shaping
ImpactRemote calc proof via publickey subsystem when vulnerable parser build linked.

Attack Chain

SSH publickey subsystem → grow list into freed slot → cleanup calls attacker callback

Mitigation

Apply parser hardening (zero list keys after growth; reject overflowing num_attrs).

Related Signals

Sources

→ Source