Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55200

CVE-2026-55200: libssh2 Remote Code Execution Vulnerability

CVE-2026-55200 is a remote code execution flaw in libssh2 through version 1.11.1 caused by an out-of-bounds write in packet processing. This article covers technical details, affected versions, exploitation risks, and mitigation.

Published:

CVE-2026-55200 Overview

CVE-2026-55200 is an out-of-bounds write vulnerability in libssh2 versions through 1.11.1. The flaw resides in the ssh2_transport_read() function within transport.c, which fails to enforce upper bounds on the packet_length field of incoming SSH packets. Remote attackers can transmit crafted SSH packets containing excessively large packet_length values to corrupt heap memory. Successful exploitation leads to remote code execution in the context of any application linked against the vulnerable library. The issue is tracked under [CWE-680] (Integer Overflow to Buffer Overflow) and was fixed in commit 97acf3df.

Critical Impact

Unauthenticated remote attackers can corrupt heap memory and achieve code execution on any process linking libssh2 through 1.11.1.

Affected Products

  • libssh2 versions through 1.11.1
  • Applications and services statically or dynamically linking vulnerable libssh2 builds
  • Downstream packages distributed by Linux distributions prior to ingesting commit 97acf3df

Discovery Timeline

  • 2026-06-17 - CVE-2026-55200 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-55200

Vulnerability Analysis

The defect lies in the SSH transport layer parser implemented in ssh2_transport_read(). The SSH binary packet protocol prefixes each message with a 32-bit packet_length field that describes the size of the payload that follows. The vulnerable code path reads this field from attacker-controlled input and uses it to drive subsequent buffer allocation and copy operations. Because the function never validates that packet_length falls within the RFC 4253 ceiling of 35000 bytes or the library's own buffer constraints, oversized values propagate into downstream arithmetic. The resulting size miscalculation produces a heap buffer that is too small for the data the parser then writes, yielding a linear heap out-of-bounds write.

Root Cause

The root cause is missing upper-bound validation on a length field that is fully attacker-controlled before any cryptographic authentication occurs. libssh2 trusts the value supplied by the remote peer during the unencrypted portion of the SSH handshake, which classifies the flaw as [CWE-680] Integer Overflow to Buffer Overflow. The fix landed in GitHub Pull Request #2052 and was merged as commit 97acf3df, which adds explicit bounds checks against the maximum permitted packet length.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker operates a malicious SSH server, or interposes on a network path between an SSH client and a legitimate server, and responds with a crafted transport packet whose packet_length header exceeds permitted bounds. Any client application invoking libssh2_session_handshake() against the attacker-controlled endpoint reaches the vulnerable code path. Server-side deployments that accept inbound SSH connections using libssh2 are also exposed to unauthenticated remote attackers. Refer to the VulnCheck Advisory on libssh2 for additional analysis.

Detection Methods for CVE-2026-55200

Indicators of Compromise

  • SSH sessions terminating abnormally with heap corruption signatures or SIGSEGV in processes linked against libssh2
  • Inbound or outbound SSH traffic carrying packets where the leading 32-bit packet_length field exceeds 35000 bytes
  • Crash dumps or dmesg entries referencing memory faults inside ssh2_transport_read or adjacent transport.c symbols

Detection Strategies

  • Deploy network signatures that inspect cleartext SSH transport headers during the pre-encryption handshake and flag packet length values above the RFC 4253 maximum of 35000 bytes
  • Inventory all applications, agents, and embedded devices that statically or dynamically link libssh2, and cross-reference build versions against 1.11.1 and earlier
  • Monitor for unexpected SSH client connections from internal hosts to untrusted external endpoints, which is the prerequisite for client-side exploitation

Monitoring Recommendations

  • Aggregate SSH process crash telemetry, core dumps, and ASAN reports from servers and developer workstations to surface exploitation attempts
  • Continuously scan container images and software bills of materials for vulnerable libssh2 versions prior to deployment
  • Alert on anomalous outbound TCP/22 traffic patterns from automation, CI/CD runners, and backup jobs that embed libssh2

How to Mitigate CVE-2026-55200

Immediate Actions Required

  • Upgrade libssh2 to a release containing commit 97acf3df or a vendor backport of Pull Request #2052
  • Rebuild and redeploy any first-party software that statically links libssh2, since OS-level package updates will not affect statically embedded copies
  • Restrict outbound SSH connectivity from internal systems to a known-good allowlist of destinations until patching is complete

Patch Information

The upstream fix is delivered in commit 97acf3df and adds explicit upper-bound validation on the packet_length field inside ssh2_transport_read(). Distribution maintainers and downstream vendors should backport this commit into supported branches. Until packaged releases are available, organizations can build libssh2 from the patched source tree referenced in the GitHub Commit Update.

Workarounds

  • Block egress to untrusted SSH servers at the network perimeter and require connections to traverse an inspecting proxy or bastion host
  • Disable or remove optional features and integrations that initiate libssh2-based outbound sessions when those features are not required
  • Enforce mutual host key verification and strict known_hosts pinning so that man-in-the-middle attackers cannot redirect clients to a malicious SSH endpoint
bash
# Verify the installed libssh2 version on common Linux distributions
ldconfig -p | grep libssh2
dpkg -l | grep libssh2     # Debian/Ubuntu
rpm -qa | grep libssh2     # RHEL/Fedora/SUSE

# Identify processes currently linking the vulnerable library
lsof 2>/dev/null | grep libssh2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne