Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

Pre-authentication DoS in libssh2 SSH_MSG_EXT_INFO handler

IdentifiersCVE-2026-55199CWE-835

CVE-2026-55199 is a pre-authentication denial-of-service vulnerability in libssh2 affecting versions through 1.11.1. The flaw is in the SSH_MSG_EXT_INFO handler in src/packet.c during the SSH key-exchange phase. libssh2 does not properly sanity-check the advertised extension count and also fails to adequately handle error returns from _libssh2_get_string(). A malicious SSH server can send a crafted SSH_MSG_EXT_INFO message with nr_extensions set to 0xFFFFFFFF, causing the client to iterate in a tight CPU-bound loop. Because the loop is CPU-bound, the normal session timeout does not interrupt it. The issue is fixed by commit 1762685.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes the libssh2 client to consume CPU in a tight loop for over 60 seconds and effectively hang during pre-authentication key exchange, resulting in denial of service. The issue does not provide code execution based on the provided content, but it can disrupt SSH/SCP/SFTP operations in software embedding libssh2, including automation, backup, network-management, and embedded-device workflows.

Mitigation

If you can’t patch tonight, do this now.

Until patched builds are deployed, avoid connecting libssh2-based clients to untrusted, attacker-controlled, or potentially impersonated SSH servers. Reduce exposure by enforcing strict host key verification, limiting outbound SSH/SCP/SFTP connections to trusted endpoints, using network segmentation and egress controls to restrict reachable SSH servers, and prioritizing updates for software and appliances that embed libssh2.

Remediation

Patch, then assume compromise.

Upgrade libssh2 to a version containing the fix for commit 1762685. If an official release with the patch is not yet available in the deployment environment, apply the upstream fix referenced by commit 1762685 or consume a vendor package that has backported the patch. Because libssh2 is often statically linked or bundled into appliances and embedded products, also obtain and deploy vendor-specific updates for affected downstream software.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Libssh2Libssh2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A high-severity pre-authentication denial-of-service vulnerability in libssh2 caused by failure to validate the advertised extension count during SSH key exchange, leading to prolonged CPU consumption and client hangs.

Read more
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A high-severity pre-authentication denial-of-service vulnerability in libssh2 caused by failure to sanity-check the advertised SSH extension count during key exchange, leading to prolonged CPU consumption and client hang.

Read more
cvefeed high severityNews
Jun 17, 2026
CVE-2026-55199 - libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

A pre-authentication denial-of-service vulnerability in libssh2's SSH_MSG_EXT_INFO handler that can let a malicious SSH server trigger client CPU exhaustion via a crafted extension count value.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-55199
NVD
nvd.nist.gov/vuln/detail/CVE-2026-55199
MITRE CWE · CWE-835
cwe.mitre.org