June 29, 2026
Public PoC Released for Critical libssh2 Flaw That Could Enable Remote Code Execution on SSH…
A public proof-of-concept (PoC) exploit has been released for CVE-2026–55200, a critical vulnerability in the widely used libssh2 library…
By security-news.net | pentest.day
3 min read
A public proof-of-concept (PoC) exploit has been released for CVE-2026–55200, a critical vulnerability in the widely used libssh2 library that could allow a malicious SSH server to compromise connecting clients through memory corruption, potentially leading to remote code execution (RCE).
The vulnerability affects all libssh2 versions up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2, making it one of the most severe client-side SSH vulnerabilities disclosed this year.
Unlike traditional SSH vulnerabilities that target servers, CVE-2026–55200 specifically affects SSH clients, meaning any application using libssh2 to initiate outbound SSH connections could be vulnerable if it connects to a malicious or compromised server.
Millions of Applications May Be Affected
libssh2 is one of the most widely deployed SSH client libraries in the software ecosystem. It is embedded in numerous applications and products, including:
- curl
- Git
- PHP
- Backup and synchronization software
- Firmware update utilities
- Network appliances
- Embedded Linux devices
- Industrial systems
Many vendors compile libssh2 directly into their applications using static linking, meaning simply updating the operating system package may not remove the vulnerable library. As a result, organizations may unknowingly continue running vulnerable software even after applying standard updates.
How the Vulnerability Works
The flaw resides inside ssh2_transport_read(), a function responsible for parsing incoming SSH packets during the connection handshake.
Researchers discovered that libssh2 trusted an attacker-controlled packet_length value without validating its maximum size.
By sending a specially crafted packet containing a length value of 0xFFFFFFFF, attackers can trigger a 32-bit integer overflow during buffer size calculations.
Because the arithmetic wraps around to a much smaller value, libssh2 allocates only a tiny memory buffer while later code proceeds to copy the entire oversized packet into it.
This creates a classic heap-based buffer overflow, classified as CWE-680 (Integer Overflow to Buffer Overflow), which attackers may leverage to corrupt memory and potentially execute arbitrary code.
The official patch introduces proper validation by rejecting any packet larger than LIBSSH2_PACKET_MAXPAYLOAD before memory allocation occurs.
A Familiar Bug Returns
Security researchers noted that this is not the first time libssh2 has suffered from this exact class of vulnerability.
In 2019, developers fixed CVE-2019–3855, another integer overflow vulnerability inside the transport layer that also enabled malicious SSH servers to compromise clients.
The reappearance of a nearly identical flaw seven years later highlights how dangerous memory management errors can persist in mature software projects despite previous security fixes.
Public PoC Now Available
Security researcher Tristan Madani responsibly disclosed the vulnerability to the libssh2 maintainers, who merged a fix on June 12 through pull request #2052.
Shortly afterward, the vulnerability was assigned CVE-2026–55200, and an independent GitHub repository known as Exploitarium published a public proof-of-concept demonstrating the flaw.
The released code is not a fully weaponized exploit capable of compromising arbitrary systems over the internet. Instead, it includes:
- A controlled SSH trigger demonstrating the vulnerability.
- A local remote code execution testing harness.
- Supporting code for security research and vulnerability validation.
Successfully converting the PoC into a reliable real-world exploit would still depend on several factors, including:
- Target application architecture.
- Memory allocator behavior.
- Compiler protections.
- Operating system exploit mitigations.
- The specific way software integrates libssh2.
At the time of publication, CISA has not reported active exploitation, and no confirmed attacks abusing this vulnerability have been observed in the wild.
No Official Release Yet
Although the vulnerability has been patched in the libssh2 source repository, an official stable release containing the fix has not yet been published.
Several Linux distributions have already begun backporting the patch independently. Debian, for example, has incorporated the fix into its testing branch while other vendors prepare security updates.
Healthcare organizations have also received guidance from NHS England Digital, which issued an advisory recommending immediate patching for affected environments.
Recommended Mitigations
Organizations using libssh2 should act immediately by:
- Identifying every application that includes libssh2, including statically linked copies.
- Applying vendor updates or builds containing commit 97acf3d, which fixes the vulnerability.
- Restricting outbound SSH connections to trusted servers until patches are installed.
- Carefully verifying SSH host keys before establishing new connections.
- Monitoring systems for abnormal SSH client crashes or malformed packet activity.
- Following vendor security advisories for updated packages.
Administrators should also prioritize patching two additional recently disclosed libssh2 vulnerabilities:
- CVE-2026–55199 (CVSS 8.2), which allows attackers to trap clients in a CPU-consuming denial-of-service loop.
- CVE-2025–15661 (CVSS 8.3), an SFTP heap over-read vulnerability affecting file transfer operations.
Hidden Risk in Embedded Software
Perhaps the greatest challenge posed by CVE-2026–55200 is visibility.
Because libssh2 is bundled into countless applications, embedded devices, enterprise appliances, and firmware images, many vulnerable copies may remain undetected long after operating system packages are updated.
Security teams should therefore inventory third-party software carefully and not assume that standard package updates fully eliminate exposure.
With a public proof-of-concept now available, organizations should expect increased security scanning and potential exploit development in the coming weeks, making prompt remediation a high priority.
Author: security-news.net | pentest.day