libssh2 Vulnerability CVE-2026-55200 Enables RCE

Critical libssh2 Vulnerability CVE-2026-55200 Enables Remote Code Execution

Do Son June 23, 2026 2 minutes read

At a glance

CVE: CVE-2026-55200
CVSS: 9.2 (Critical · CVSSv4)
Product: libssh2
Affected: ≤ 1.11.1
Impact: libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
Status: No confirmed exploitation yet
Patched in: 7acf3dfda80c91c3a8c9f2372546301d4a1a7a8
EPSS: 0.6% (30-day)
Action: Update to 7acf3dfda80c91c3a8c9f2372546301d4a1a7a8 now

TL;DR

A serious libssh2 vulnerability now puts SSH clients at risk. Researchers track it as CVE-2026-55200, with a CVSS 4.0 score of 9.2. A remote attacker can corrupt memory and run code on a target.

Why It Matters

libssh2 powers SSH connections inside many tools and applications. Therefore, a single library bug can spread across the software supply chain. The flaw needs no authentication, so the risk climbs higher. Moreover, the network attack vector makes remote exploitation possible. An attacker only needs to reach a vulnerable client.

How the Attack Works

The libssh2 vulnerability stems from a missing bounds check. The bug lives in the ssh2_transport_read() function inside transport.c. This code reads incoming SSH packets during the handshake. However, it never validates the upper limit of the packet_length field. As a result, a crafted packet with a huge length value slips through. The library then writes past its buffer and corrupts the heap. That out-of-bounds write can lead to remote code execution.

The VulnCheck advisory explains the root cause in depth. Researcher Tristan Madani reported the issue.

Exploitation Status

So far, no exploitation in the wild has been confirmed. No public proof-of-concept exists either.

Affected Versions

This libssh2 vulnerability affects every release up to and including version 1.11.1.

Patch and Mitigation

The maintainers shipped a fix in the official patch commit. Update to a build that includes it as soon as possible. If you cannot patch yet, limit which servers your clients trust. Finally, scan your own software for bundled copies of libssh2.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.