A public proof-of-concept has been released for CVE-2026-55200, a critical flaw in libssh2 that may allow memory corruption and code execution for connected clients. This vulnerability affects all versions up to 1.11.1, posing significant risks as libssh2 is widely used in various applications and systems.
CVE-2026-55200 is a critical vulnerability in libssh2 that could enable memory corruption on a client connecting to a malicious or compromised SSH server. It is classified with a CVSS score of 9.2, indicating a severe risk. The flaw affects every release of libssh2 up to and including version 1.11.1.
The vulnerability stems from the function ssh2_transport_read() in the source file transport.c. It fails to enforce an upper limit on the packet_length field when parsing SSH packets, which can lead to integer overflow. This oversight can trigger an out-of-bounds heap write, a known method for potential code execution.
The flaw was reported by security researcher Tristan Madani, and the fix was merged into the codebase on June 12, with VulnCheck publishing the CVE on June 17. A public proof-of-concept for this exploit is now available in 'exploitarium,' which provides various code that could lead to remote code execution under specific conditions.
Given that libssh2 is embedded in numerous applications including curl, Git, and PHP, many systems and devices utilizing these libraries are at risk, particularly those that connect to untrusted SSH endpoints. The prevalence of statically linked libraries may hinder automatic updates to address this vulnerability.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
A public proof-of-concept has been released for CVE-2026-55200, a critical flaw in libssh2 that may allow memory corruption and code execution for connected clients. This vulnerability affects all versions up to 1.11.1, posing significant risks as libssh2 is widely used in various applications and systems.