Critical libssh2 Vulnerabilities Allow Remote Code Execution and Denial of Service

Overview

CVE: CVE-2026-55200, CVE-2026-55199

Severity: Critical

Date: 25 June 2026

libssh2 has disclosed two vulnerabilities affecting versions 1.11.1 and earlier. These issues impact systems and applications that rely on libssh2 for SSH connectivity.

The highest severity issue, CVE-2026-55200, may allow remote attackers to corrupt heap memory and achieve remote code execution by sending crafted SSH packets. A second issue, CVE-2026-55199, may allow a malicious SSH server to trigger a pre-authentication CPU exhaustion condition in a vulnerable libssh2 client.

Affected Versions

• libssh2 1.11.1 and earlier are affected.

• CVE-2026-55200 is fixed in commit 7acf3df.

• CVE-2026-55199 is fixed in commit 1762685.

• Organisations should apply the latest available vendor or distribution package updates as soon as possible.

Vulnerability Breakdown

CVE-2026-55200 - Out-of-bounds write in transport handling

Severity: Critical

CVSS: 9.2

Description: libssh2 through 1.11.1 contains an out-of-bounds write vulnerability in ssh2_transport_read(). The vulnerable code fails to enforce upper bounds on the packet_length field.

Impact: Remote attackers may send crafted SSH packets with excessively large packet_length values to corrupt heap memory and potentially achieve remote code execution.

Conditions: Network access is required. The CVSS vector indicates no privileges or user interaction are required, with attack requirements present.

Notes: This issue is tracked as CWE-680, Integer Overflow to Buffer Overflow.

CVE-2026-55199 - Pre-authentication denial of service in SSH_MSG_EXT_INFO handler

Severity: High

CVSS: 8.2

Description: libssh2 through 1.11.1 contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c.

Impact: A malicious SSH server may cause a vulnerable libssh2 client to enter a CPU exhaustion loop for over 60 seconds.

Conditions: The client must connect to a malicious SSH server. The malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing a tight CPU loop because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

Notes: This issue is tracked as CWE-835, Loop with Unreachable Exit Condition.

Mitigation

• Update libssh2 to a version or package build that includes the fixes for CVE-2026-55200 and CVE-2026-55199.

• Prioritise systems, applications, appliances, and embedded products that use libssh2 for SSH connectivity.

• Review software bills of materials and dependency inventories for products that bundle libssh2.

• Apply vendor or Linux distribution security updates where libssh2 is supplied through package repositories.

• Restrict outbound SSH connections from systems using vulnerable libssh2 clients where practical.

• Monitor vendor advisories for downstream products that may include libssh2 as an embedded dependency.

Summary for IT Teams

Products: libssh2

Threat Level: Critical, CVSS 9.2

Action Required: Identify affected libssh2 deployments and apply the latest vendor or distribution updates. Prioritise internet-facing systems, products that process untrusted SSH traffic, and clients that may connect to untrusted SSH servers.

Reference

• NVD: CVE-2026-55200

• NVD: CVE-2026-55199

• VulnCheck: libssh2 Out-of-Bounds Write via Unchecked packet_length in transport.c

• VulnCheck: libssh2 Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

• Cybernews: Critical security flaw found in popular SSH library libssh2

Need Help?

If your organisation needs assistance assessing exposure, validating affected systems, or prioritising remediation, we can help.

Contact the our SOC team on 1300 769 460 or email us for support.