The Vulnerability and Its Mechanism
A public proof-of-concept exploit has been released for a critical vulnerability in the libssh2 library, tracked as CVE-2026-55200. This flaw boasts a CVSS 4.0 score of 9.2 and affects all versions of libssh2 up to and including 1.1.11. The bug allows a malicious or compromised SSH server to trigger memory corruption on a connecting client, potentially leading to remote code execution. No credentials or user interaction are required for exploitation.
The vulnerability resides in the `ssh2_transport_read()` function, which processes incoming SSH packets during the handshake. The function fails to enforce an upper limit on the `packet_length` field, allowing an attacker to set it to a value such as `0xffffffff`. When this large value is used in 32-bit arithmetic to calculate a buffer size, the result wraps around to a small number. libssh2 then allocates a small buffer, but later writes the full oversized packet into it. This integer overflow leads to an out-of-bounds heap write, a classic primitive for achieving code execution.
Scope and Patching Status
libssh2 is a client side SSH library widely embedded in tools like curl, Git, PHP, backup agents, and firmware updaters. Many of these copies are statically linked, meaning a standard distro package update will not patch them. This makes complete inventory of affected systems challenging, as vulnerable instances may be forgotten or buried within appliances.
As of now, no official fixed release of libssh2 has been tagged, though a patch exists in the mainline source code via commit `97acf3d`. Downstream projects and Linux distributions, such as Debian, are backporting the fix themselves. The NHS England Digital has already issued an advisory urging affected organizations to update. Until a patched version is available and deployed, organizations should restrict outbound SSH connections to trusted servers and verify host keys. Additional vulnerabilities in the same library, including CVE-2026-55199 (a denial of service vector) and CVE-2025-15661 (an SFTP heap over-read), also require attention.
Source: The Hacker News
