diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch
new file mode 100644
index 0000000000..bad801fece
--- /dev/null
+++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch
@@ -0,0 +1,177 @@
+From ffe23ddb76c6fe320f3a90f5876abd429b6ddc61 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Sat, 4 Jul 2026 17:18:50 +0200
+Subject: [PATCH] publickey: cap variable-length packet element sizes
+
+To avoid potential offset wrap in 32-bit builds when receiving overly
+large values in length fields. Limit them to the maximum packet size.
+
+Bug: https://github.com/libssh2/libssh2/pull/2205#discussion_r3523193089
+
+Closes #2207
+
+[Cherry-pick adaptation notes]
+
+The upstream commit uses the shortened private-symbol namespace
+introduced in commit 076838de2697a4185125bfd601fbcd6e7286bfb6
+("src: shorten namespace for private functions and macros"), which is
+not present in libssh2 1.11.1. The only change made when backporting was
+to spell the helper calls back to the names used in 1.11.1:
+
+  ssh2_err()     -> _libssh2_error()
+  ssh2_ntohu32() -> _libssh2_ntohu32()
+
+The added "> LIBSSH2_PACKET_MAXPAYLOAD" cap checks were kept as-is,
+written against this tree's existing bounds-check style
+(s + len <= data + data_len).
+
+CVE: CVE-2026-58050
+Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/7c8a170c6dca3cd4cf24de836f43ba1a20e662d5]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ src/publickey.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+diff --git a/src/publickey.c b/src/publickey.c
+index 9c9fa618..583935fe 100644
+--- a/src/publickey.c
++++ b/src/publickey.c
+@@ -472,6 +472,11 @@ static LIBSSH2_PUBLICKEY *publickey_init(LIBSSH2_SESSION *session)
+                     goto err_exit;
+                 }
+ 
++                if(descr_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key description too large");
++                    goto err_exit;
++                }
+                 if(s + descr_len + 4 <=
+                    session->pkeyInit_data + session->pkeyInit_data_len) {
+                     /* description starts here */
+@@ -485,6 +490,11 @@ static LIBSSH2_PUBLICKEY *publickey_init(LIBSSH2_SESSION *session)
+                     goto err_exit;
+                 }
+ 
++                if(lang_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key language too large");
++                    goto err_exit;
++                }
+                 if(s + lang_len <=
+                    session->pkeyInit_data + session->pkeyInit_data_len) {
+                     /* lang starts here */
+@@ -912,6 +922,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                 goto err_exit;
+             }
+ 
++            if(descr_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                               "Public key description too large");
++                goto err_exit;
++            }
+             if(pkey->listFetch_s + descr_len + 4 <=
+                pkey->listFetch_data + pkey->listFetch_data_len) {
+                 /* description starts at pkey->listFetch_s */
+@@ -925,6 +940,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                 goto err_exit;
+             }
+ 
++            if(lang_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                               "Public key language too large");
++                goto err_exit;
++            }
+             if(pkey->listFetch_s + lang_len <=
+                pkey->listFetch_data + pkey->listFetch_data_len) {
+                 /* lang starts at pkey->listFetch_s */
+@@ -988,6 +1008,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                 }
+ 
+                 if(comment_len) {
++                    if(comment_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                        _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                       "Public key comment too large");
++                        goto err_exit;
++                    }
+                     list[keys].num_attrs = 1;
+                     list[keys].attrs =
+                         LIBSSH2_ALLOC(session,
+@@ -1022,6 +1047,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].name_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key name too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].name_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].name = pkey->listFetch_s;
+@@ -1044,6 +1069,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].blob_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key blob too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].blob_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].blob = pkey->listFetch_s;
+@@ -1069,6 +1094,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].name_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key name too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].name_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].name = pkey->listFetch_s;
+@@ -1091,6 +1116,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].blob_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key blob too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].blob_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].blob = pkey->listFetch_s;
+@@ -1138,6 +1163,14 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                             goto err_exit;
+                         }
+ 
++                        if(list[keys].attrs[i].name_len >
++                           LIBSSH2_PACKET_MAXPAYLOAD) {
++                            _libssh2_error(session,
++                                           LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                           "Public key attribute name "
++                                           "too large");
++                            goto err_exit;
++                        }
+                         if(pkey->listFetch_s + list[keys].attrs[i].name_len <=
+                            pkey->listFetch_data + pkey->listFetch_data_len) {
+                             list[keys].attrs[i].name =
+@@ -1164,6 +1197,14 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                             goto err_exit;
+                         }
+ 
++                        if(list[keys].attrs[i].value_len >
++                           LIBSSH2_PACKET_MAXPAYLOAD) {
++                            _libssh2_error(session,
++                                           LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                           "Public key attribute value "
++                                           "too large");
++                            goto err_exit;
++                        }
+                         if(pkey->listFetch_s +
+                            list[keys].attrs[i].value_len <=
+                            pkey->listFetch_data + pkey->listFetch_data_len) {
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
index 2407ed34d9..21e7ed30da 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
            file://CVE-2026-7598.patch \
            file://CVE-2026-55200.patch \
            file://CVE-2026-55199.patch \
+           file://CVE-2026-58050.patch \
            "
 
 SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
