libssh2 CVE-2026-55200 (CVSS 9.2) Client-Side RCE

A critical client-side SSH vulnerability, CVE-2026-55200, has been identified in the libssh2 library. This flaw allows a malicious or compromised SSH server to trigger memory corruption on a connecting client, potentially leading to remote code execution. With a CVSS 4.0 score of 9.2, this vulnerability affects all libssh2 releases up to and including 1.11.1.

A public Proof-of-Concept (PoC) for CVE-2026-55200 has been released, demonstrating the feasibility of exploitation. While no in-the-wild exploitation has been publicly reported by CISA as of the latest intelligence, the existence of a public PoC significantly increases the immediate risk to unpatched systems. The widespread use of libssh2 across various applications, including curl, Git, and PHP, increases the potential attack surface.

The vulnerability stems from an integer overflow issue that leads to an out-of-bounds heap write. This class of memory corruption is a common method for achieving code execution. Due to the widespread embedding of libssh2 in numerous products and appliances, including statically linked versions, identifying and patching all vulnerable instances presents a significant challenge for organizations.

What is CVE-2026-55200 and why is it critical?

CVE-2026-55200 is a critical client-side memory corruption vulnerability in the libssh2 library. It allows a malicious SSH server to potentially execute arbitrary code on a connecting client. Its criticality stems from its high CVSS 4.0 score of 9.2, the absence of user interaction or credentials required for exploitation, and the library's widespread use in many software applications. The flaw, categorized as CWE-680 (Integer Overflow to Buffer Overflow), affects how libssh2 parses incoming SSH packets during the handshake phase, specifically in the ssh2_transport_read() function within transport.c.

The vulnerability's impact is significant because libssh2 plays a key role as a client-side SSH library. It is widely embedded in applications that initiate SSH connections, such as version control systems, backup agents, and system updaters. This means that a compromise of an SSH server, or the establishment of a rogue SSH server, could lead to Remote Code Execution (RCE) on clients attempting to connect. The critical nature is further shown by the fact that many instances of libssh2 are statically linked, making them difficult to track and update through standard package management processes. This widens the window for potential exploitation against systems thought to be secure.

Impact

An attacker successfully exploiting CVE-2026-55200 can achieve Remote Code Execution (RCE) on the client system that connects to their malicious or compromised SSH server. This means the attacker can run arbitrary code with the privileges of the vulnerable application, potentially gaining control over the client machine. The vulnerability requires no user interaction or credentials, making it a potent attack vector.

Organizations and individual users are at risk if they operate any software that links libssh2 and makes outbound SSH connections to untrusted or potentially compromised SSH endpoints. The attack surface is broad because libssh2 is a core component embedded within numerous widely used products, not just a standalone application. Examples include:

  • curl: A command-line tool and library for transferring data with URLs.
  • Git: The industry-standard distributed version control system.
  • PHP: A popular server-side scripting language used for web development.
  • Backup agents: Software solutions designed for data backup and recovery.
  • Firmware updaters: Utilities responsible for applying updates to hardware firmware.
  • A diverse range of appliances and specialized software.

The real-world reach of this vulnerability is difficult to fully quantify due to the nature of library embedding. Many copies of libssh2 are statically linked into applications. This means they are bundled directly with the application's executable rather than relying on a dynamically loaded system library. This significantly complicates inventorying efforts, as these embedded instances may not be detected by standard software package managers. This situation creates a hidden and ongoing risk, as organizations may be unaware of vulnerable libssh2 instances within their operational environment. The direct impact is the compromise of client machines, which could then be used as staging points for further network penetration, data exfiltration, or the deployment of malware.

Exploitation chain

The flaw in libssh2 originates within the ssh2_transport_read() function, located in transport.c. This function parses incoming SSH packets during the handshake process. The vulnerability lies in its handling of the packet_length field, which is controlled by the SSH server. The function inadequately validated this field, rejecting only values below 1 and critically failing to enforce an upper bound.

This omission creates an integer overflow scenario (CWE-680). When an attacker provides a packet_length of 0xffffffff, a 32-bit arithmetic operation involving this length wraps around to a very small number. libssh2 subsequently allocates a buffer sized for this tiny, incorrect number. However, later code attempts to write the full, oversized packet (derived from the attacker-controlled 0xffffffff length) into this undersized buffer. This mismatch results in an out-of-bounds heap write, a common method for memory corruption that can be used for arbitrary code execution.

The fix for this vulnerability involves adding the necessary bounds checking, rejecting any packet_length above LIBSSH2_PACKET_MAXPAYLOAD before the erroneous arithmetic can occur. This patch was merged via pull request #2052 through commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 on June 12. Security researcher Tristan Madani reported the issue, and VulnCheck subsequently published the CVE on June 17.

A public Proof-of-Concept (PoC) for CVE-2026-55200 has been published in "exploitarium," a GitHub archive containing various exploit codes. This PoC includes a locally verified SSH trigger scaffold and a controlled local RCE harness. While this demonstrates the vulnerability's exploitability, it is not a turnkey remote exploit. Achieving reliable code execution against a live application would require further development, accounting for the target binary's specifics, allocator behavior, existing mitigations, and how the software embeds libssh2. This situation is similar to the rapid availability of exploits for other critical vulnerabilities, as seen in our prior analysis of a Cisco CUCM exploit for CVE-2026-20230, which also saw a public PoC quickly emerge.

This is not the first instance of libssh2 encountering this class of vulnerability. In 2019, version 1.8.1 was released to address nine flaws, which prominently featured CVE-2019-3855. This earlier vulnerability was a near-identical integer overflow in the same transport read code, also allowing a malicious server to execute code on a connecting client. The recurrence of this specific bug class after seven years shows an ongoing challenge in securing basic library components. This pattern of flaws in widely used network libraries, often leading to unauthenticated Remote Code Execution, has been observed in other critical components, such as discussed in our analysis of the Kopia unauthenticated RCE CVE-2026-45695 which also involved SSH-related injection.

Affected products and versions

The libssh2 library is vulnerable to CVE-2026-55200 across all releases up to and including 1.11.1. This is a client-side vulnerability, meaning any application or system component that incorporates libssh2 and initiates an SSH connection to a malicious or compromised server is susceptible. Given libssh2's role as a basic open-source library, its widespread adoption means a wide range of products are potentially affected. Identifying every affected application can be challenging due to the various methods of library integration (e.g., static linking, dynamic linking, bundled copies).

Common product categories and specific examples known to embed libssh2 and therefore may be impacted include:

  • Version Control Systems:
  • Git (when configured to use SSH for repository operations).
  • Data Transfer Utilities:
  • curl (both the command-line tool and its underlying library, which supports SSH/SFTP).
  • Web Development Frameworks and Languages:
  • PHP (via extensions that utilize libssh2 for SSH functionalities).
  • Backup and Recovery Solutions:
  • Various backup agents that use SSH for secure file transfer.
  • System and Device Management:
  • Firmware updaters for network devices, IoT devices, and other appliances.
  • Management interfaces or agents on certain hardware appliances that rely on SSH for connectivity.
  • Other Applications:
  • Any custom or third-party application that utilizes libssh2 for SSH client functionality.

A significant challenge for organizations lies in inventorying all instances of libssh2, especially statically linked instances. Statically linked copies are bundled directly into the application's binary, making them invisible to standard operating system package managers. This requires a thorough software bill of materials (SBOM) analysis or dynamic analysis to identify all embedded instances of the vulnerable library. NHS England Digital has issued advisory CC-4799, showing the broad concern and urging affected organizations to update.

Detection

Detecting exploitation attempts or vulnerable libssh2 instances requires a layered approach examining network traffic, system logs, and endpoint behavior. Given CVE-2026-55200's client-side nature, primary indicators will revolve around outbound SSH connections from affected clients.

Network Indicators:

  • Oversized SSH Packet Anomalies: Monitor SSH network traffic for packets with unusually large or malformed packet_length fields during the SSH handshake phase. While precise thresholds may vary, an SSH packet attempting to declare an excessively large payload size (e.g., approaching 0xffffffff) is a strong indicator of an exploitation attempt.
  • Unusual SSH Server IP Addresses: Identify outbound SSH connections to untrusted, newly observed, or suspicious IP addresses or domains. Prioritize monitoring for clients that connect to external SSH servers or resolve hosts through names an attacker could redirect.
  • Spurious SSH Connections: Look for SSH connections originating from applications or systems that do not typically establish such connections.

Endpoint Detection and Response (EDR) Queries and System Logs:

  • Process Crashes/Abnormal Terminations: Monitor system logs for unexplained client crashes, process terminations, or segmentation faults occurring in applications that utilize libssh2. Correlate these events with recent outbound SSH connection attempts. Specific processes to monitor include curl, git, or PHP processes that interact with SSH.
  • Memory Corruption Signatures: Advanced EDR solutions may detect memory corruption patterns, such as out-of-bounds writes or heap corruption, within processes linked to libssh2. Look for alerts related to CWE-680 or integer overflow vulnerabilities.
  • Unusual Process Behavior: Observe any unusual behavior from SSH client applications, such as unexpected child process spawning, elevated resource consumption, or network connections to internal or external resources not typically associated with their function.
  • Library Version Identification: Use system tools (e.g., ldd on Linux, dumpbin on Windows) to identify dynamically linked libssh2 versions within running processes. For statically linked binaries, string searches for libssh2 version strings or hash analysis of binaries might provide clues; however, this is more complex.

Threat Intelligence Integration:

  • Regularly consult threat intelligence feeds for new Indicators of Compromise (IOCs) related to CVE-2026-55200, including any specific malicious SSH server fingerprints or network patterns. While no in-the-wild IOCs are currently reported, this remains a critical monitoring activity.

Thorough logging for all outbound SSH traffic and complete endpoint telemetry is crucial for detecting both known and unknown threats related to client-side vulnerabilities like CVE-2026-55200.

Remediation

Remediation for CVE-2026-55200 requires immediate action, focusing on patching, effective workarounds, and improved monitoring capabilities. Given the library's embedded nature, a thorough inventory is the first step.

1. Patching:

  • Apply the specific commit: A fixed libssh2 release (e.g., 1.12.0) is still being prepared by upstream maintainers. The primary remediation is to apply a build that incorporates commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8.
  • Monitor vendor advisories: Closely watch advisory channels from your operating system vendors (e.g., Debian already has a repaired build in testing) and software vendors whose products embed libssh2. They will likely provide backported patches for their affected software or updated versions of libssh2.
  • Inventory all libssh2 instances: Conduct a full inventory of all systems and applications that link libssh2. This includes dynamically linked libraries, statically linked binaries (which require more advanced scanning or SBOM analysis), and bundled copies within appliances or custom software. Prioritize clients that regularly connect to external or untrusted SSH servers.
  • Update other related CVEs: While addressing CVE-2026-55200, also patch other recently disclosed libssh2 vulnerabilities:
  • CVE-2026-55199 (CVSS 8.2), a denial of service flaw.
  • CVE-2025-15661 (CVSS 8.3), an SFTP heap over-read.

2. Workarounds and Mitigations (Until Patched):

  • Restrict outbound SSH connections: Implement network-level controls (e.g., firewall rules, egress filtering) to strictly limit outbound SSH connections (TCP port 22 or custom SSH ports) from vulnerable clients to only known and trusted SSH servers.
  • Verify SSH host keys: Enforce strict SSH host key verification for all SSH connections. Ensure clients are configured to refuse connections if the host key of the remote server does not match a pre-known, trusted key. This can help prevent connections to attacker-controlled servers masquerading as legitimate ones.
  • Isolate critical clients: For critical systems that cannot be immediately patched, isolate them network-wise to prevent them from initiating outbound SSH connections to untrusted segments or the internet.
  • Implement egress proxies/gateways: Route all outbound SSH traffic through a hardened SSH proxy or gateway that can perform additional validation and potentially filter out malformed SSH packets, although this is a complex solution.

3. Improved Monitoring:

  • Increased logging: Enable verbose logging for all SSH client activities and review logs for any anomalous behavior, unexpected disconnections, or error messages indicative of memory corruption or crashes.
  • Endpoint detection and response (EDR): Improve EDR monitoring on clients running libssh2-dependent applications. Configure EDR rules to alert on process crashes, unusual memory access patterns, or unexpected process termination associated with libssh2 binaries.
  • Network traffic analysis: Continuously monitor network traffic for SSH packets exhibiting oversized payloads or other indicators of the described exploitation attempt.

NHS England Digital has provided a specific alert, CC-4799, highlighting the urgency for organizations to address this vulnerability. Prompt action across these remediation categories is essential to reduce exposure to CVE-2026-55200.

Technical Takeaways

  • CVE-2026-55200 is a critical client-side memory corruption vulnerability in libssh2, rated CVSS 4.0 9.2, affecting versions up to 1.11.1.
  • The flaw is an integer overflow (CWE-680) in ssh2_transport_read() that leads to an out-of-bounds heap write when handling attacker-controlled packet_length values.
  • Exploitation requires no user interaction or credentials, allowing a malicious SSH server to potentially achieve Remote Code Execution (RCE) on connecting clients.
  • A public Proof-of-Concept (PoC) exists, demonstrating exploitability. This increases the urgency for patching, similar to how buffer overflows in basic libraries like zlib can lead to RCE, as discussed in our analysis of zlib CVE-2026-22184.
  • The widespread embedding of libssh2 in applications like curl, Git, and PHP, especially statically linked instances, makes identification and patching efforts difficult.
  • Remediation involves applying the patch via commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8, restricting outbound SSH connections to trusted servers, and improving monitoring for unusual client behavior.