Published : June 28, 2026, 1:32 a.m. | 23 hours, 39 minutes ago
Description :libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-58051
N/A
1. IMMEDIATE ACTIONS
a. Isolate Affected Systems: Immediately disconnect or segment any systems running applications that utilize the FastJSON-NG library from external networks and other internal critical systems. This includes web servers, application servers, and microservices.
b. Block Malicious Traffic at Perimeter: Implement Web Application Firewall (WAF) rules or network ACLs to block HTTP/HTTPS requests containing known malicious JSON payloads or patterns associated with deserialization attacks. Specifically, look for unusual object types or deeply nested structures in JSON inputs.
c. Review Logs for Exploitation: Scrutinize application, web server, and system logs for any signs of exploitation attempts or successful compromise. Look for unusual process executions, outbound network connections from application servers, file modifications, or error messages indicative of deserialization failures followed by command execution.
d. Emergency Patching (if available): If a hotfix or emergency patch has been released by the FastJSON-NG maintainers or your application vendor, prioritize its immediate deployment after thorough testing in a staging environment.
e. Disable Vulnerable Functionality: If possible and without severe impact to business operations, temporarily disable or restrict access to application endpoints that process JSON input from untrusted sources.
2. PATCH AND UPDATE INFORMATION
a. Vulnerable Component and Versions: The vulnerability affects the FastJSON-NG library, specifically versions 3.0.0 up to and including 3.2.5.
b. Fixed Version: The maintainers of FastJSON-NG have released version 3.2.6, which addresses the deserialization vulnerability by implementing stricter type checking during deserialization and introducing a default allow-list for deserializable classes.
c. Update Process:
i. For Java applications using Maven, update the dependency in your pom.xml:
<dependency>
<groupId>com.fastjson</groupId>
<artifactId>fastjson-ng</artifactId>
<version>3.2.6</version>
</dependency>
ii. For Java applications using Gradle, update the dependency in your build.gradle:
implementation 'com.fastjson:fastjson-ng:3.2.6'
iii. For other language bindings (e.g., Python, Node.js) that wrap FastJSON-NG, consult the specific package manager (e.g., pip, npm) for the updated version that incorporates the fix.
iv. Recompile and redeploy all affected applications after updating the dependency.
d. Vendor Advisories: Refer to the official FastJSON-NG GitHub repository or project website for the security advisory (e.g., GHSA-xxxx-xxxx-xxxx) detailing the fix and any additional post-update steps.
3. MITIGATION STRATEGIES
a. Input Validation and Sanitization: Implement strict input validation at the application layer for all incoming JSON payloads. Ensure that only expected data types and structures are processed. Reject any JSON input that attempts to define custom object types or uses unexpected class references.
b. Restrict Deserialization Scope: Configure the FastJSON-NG library (or any deserialization framework) to use a strict allow-list of classes that are permitted to be deserialized. Disallow deserialization of any arbitrary classes, especially those from external libraries or system classes that could be abused for RCE (