Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
UnratedPublic exploit

Out-of-bounds write in libssh2 ssh2_transport_read() via unchecked packet_length

IdentifiersCVE-2026-55200CWE-680

CVE-2026-55200 is a critical memory corruption vulnerability in libssh2 affecting versions through 1.11.1. The flaw is in ssh2_transport_read() in src/transport.c, where the library accepts an attacker-controlled SSH packet_length value in a full-packet decryption path without enforcing the libssh2 maximum packet size before arithmetic and allocation decisions are made. According to the provided content, packet_length is combined with MAC and authentication lengths to compute a total allocation size; with a maliciously large value such as 0xffffffff, the arithmetic can wrap, producing an undersized heap allocation while later processing still uses the original oversized packet-derived length. This creates an out-of-bounds heap write condition during pre-authentication SSH transport handling. The issue is described as fixed upstream by commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 / 7acf3df, which adds boundary checks rejecting packet_length values greater than LIBSSH2_PACKET_MAXPAYLOAD before the vulnerable addition occurs.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can corrupt heap memory, crash the client process, cause denial of service, and potentially achieve unauthenticated remote code execution in software using libssh2. Because the vulnerable path is reached during initial SSH transport processing, exploitation can occur before authentication. Practical impact depends on the calling application, heap layout, allocator behavior, and exploit mitigations, but the provided content consistently characterizes the worst case as arbitrary code execution from a malicious or impersonated SSH server.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing libssh2-based clients from connecting to untrusted or attacker-controlled SSH servers, enforcing strict host key verification, and limiting opportunities for redirection or interception such as DNS poisoning, BGP hijack scenarios, or MITM against first-time connections. Network monitoring for anomalously large or malformed SSH packets may help detect exploitation attempts. These are temporary risk-reduction measures only; no complete workaround was provided in the cited advisories.

Remediation

Patch, then assume compromise.

Upgrade libssh2 to a version containing the upstream fix for CVE-2026-55200. The provided content identifies the fix as commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 (also referenced as 7acf3df), which adds packet_length upper-bound validation in ssh2_transport_read(). Where distribution packages are used, apply the vendor update; the content specifically references Debian stable remediation via libssh2 version 1.11.1-1+deb13u1. Also identify and update statically linked, bundled, or embedded copies of libssh2, since package-manager updates alone may not remediate all affected software.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2026-55200MaturityPoCVerified exploit

This repository is a small standalone proof-of-concept exploit consisting of one C source file and a README. The main file, CVE-2026-55200.c, implements a multithreaded malicious SSH server that listens on a configurable TCP port (default 2222), accepts inbound client connections, performs a minimal SSH-like handshake, and then sends a crafted packet designed to trigger an out-of-bounds write in vulnerable libssh2 clients. The exploit flow is: send attacker-controlled SSH banner, receive client banner, send a fake SSH_MSG_KEXINIT structure, receive client key-exchange data, then transmit a malicious packet with packet_length set to 0xFFFFFFFF and a body filled largely with 0x41 bytes. The code uses pthreads to handle multiple clients concurrently and basic socket APIs for bind/listen/accept/send/recv. The README documents the claimed target as libssh2 <= 1.11.1 and describes the vulnerability as a network-reachable packet length validation flaw in SSH transport processing. There is no post-exploitation logic, shell payload, callback infrastructure, or framework integration; the repository is focused purely on triggering memory corruption/DoS and potentially enabling further exploitation research.

0xBlackashDisclosed Jun 23, 2026cmarkdownnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Libssh2Libssh2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

50 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

50 SOURCESView more in app
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A critical pre-authentication remote code execution vulnerability in libssh2 caused by an out-of-bounds heap write in ssh2_transport_read() when processing attacker-controlled packet_length values during SSH transport negotiation.

Read more
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A critical pre-authentication remote code execution vulnerability in libssh2 caused by an out-of-bounds heap write in ssh2_transport_read() when packet_length is not properly bounded during SSH transport negotiation.

Read more
cyber security newsNews
Jun 23, 2026
Critical libssh2 Vulnerability Allows Attackers to Execute Remote Code Via Malicious SSH packets

A critical remote code execution vulnerability in the libssh2 library caused by improper validation of the packet_length field in incoming SSH packets, leading to integer overflow, out-of-bounds heap write, and potential full system compromise.

Read more
cvefeed high severityNews
Jun 17, 2026
CVE-2026-55200 - libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

An out-of-bounds write vulnerability in libssh2's ssh2_transport_read() caused by unchecked packet_length values, allowing remote attackers to corrupt heap memory and potentially achieve remote code execution.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity45

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-55200
NVD
nvd.nist.gov/vuln/detail/CVE-2026-55200
MITRE CWE · CWE-680
cwe.mitre.org