Full Report
A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2. libssh2 is a client-side SSH library, not a server.
Analysis Summary
# Vulnerability: Critical Out-of-Bounds Write in libssh2 (CVE-2026-55200)
## CVE Details
- **CVE ID:** CVE-2026-55200
- **CVSS Score:** 9.2 (Critical) - CVSS 4.0
- **CWE:** CWE-680 (Integer Overflow to Buffer Overflow)
## Affected Systems
- **Products:** libssh2 (a client-side SSH library) and any software that links it, such as curl, Git, PHP, backup agents, firmware updaters, and various appliances.
- **Versions:** Every release up to and including version 1.11.1.
- **Configurations:** Vulnerable in scenarios where a client connects to an untrusted or compromised SSH server. Static linking of the library is a significant concern as standard package updates may not resolve the flaw in those cases.
## Vulnerability Description
The flaw resides in the `ssh2_transport_read()` function within `transport.c`, which handles incoming SSH packets during the initial handshake. The function improperly validates the `packet_length` field provided by the server. While it rejects values below 1, it fails to enforce an upper bound.
During size calculation, the `packet_length` is added to small constant values using 32-bit arithmetic. An attacker can provide a high value (like `0xffffffff`) to trigger an integer wrap-around, resulting in a small memory allocation. The library then attempts to write the full, oversized packet into this small buffer, causing a heap-based out-of-bounds write.
## Exploitation
- **Status:** Public Proof-of-Concept (PoC) available; no reported exploitation in the wild.
- **Complexity:** Medium (Successful RCE depends on target binary environment and memory protections).
- **Attack Vector:** Network (Remote, pre-authentication).
## Impact
- **Confidentiality:** High (Potential for Remote Code Execution).
- **Integrity:** High (Potential for Remote Code Execution).
- **Availability:** High (Memory corruption leading to application crashes).
## Remediation
### Patches
- As of the latest report, a formal tagged release is pending.
- Recommended fix: Apply **commit 97acf3d** from the mainline source.
- Users should monitor Linux distribution security trackers (e.g., Debian) for backported security releases.
### Workarounds
- **Restrict Connections:** Only connect to trusted SSH servers and strictly verify host keys.
- **Network Filtering:** Restrict outbound SSH from automated systems to known-good IP ranges/identities.
## Detection
- **Indicators of Compromise:** Unexplained crashes of SSH-reliant clients (curl, git-based scripts, etc.).
- **Detection Methods:** Monitor for "oversized-packet" anomalies during SSH handshakes.
- **Inventory:** Use Software Bill of Materials (SBOM) or binary scanning tools to identify instances of libssh2, particularly those statically linked into third-party binaries.
## References
- **Vendor Advisory (libssh2 PR #2052):** hxxps[://]github[.]com/libssh2/libssh2/pull/2052
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-55200
- **NHS England Advisory:** hxxps[://]digital[.]nhs[.]uk/cyber-alerts/2026/cc-4799
- **VulnCheck Advisory:** hxxps[://]www[.]vulncheck[.]com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c