← Signals
- libssh2
- heap
- publickey
- exploitarium
news
libssh2 Publickey List Parser Calc PoCs
Win32 attrs allocation wrap and Win64 cleanup arbitrary-free chains in publickey list fetch — live SSH session calc replay included.
Summary
Win32 attrs allocation wrap and Win64 cleanup arbitrary-free chains in publickey list fetch — live SSH session calc replay included. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | libssh2 master @ e75b4bae3c68 (2026-06-24) |
| Primitive | num_attrs multiply wrap + malformed version/publickey list shaping |
| Impact | Remote calc proof via publickey subsystem when vulnerable parser build linked. |
Attack Chain
SSH publickey subsystem → grow list into freed slot → cleanup calls attacker callback
Mitigation
Apply parser hardening (zero list keys after growth; reject overflowing num_attrs).