Skip to main content

libssh2 CVE-2026-55199

HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-17 VulnCheck
8.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Server-to-client attack requires the victim to initiate an outbound SSH connection (UI:R), no auth before the bug triggers (PR:N), and impact is CPU-bound DoS only (A:H, C/I:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 17, 2026 - 20:00 vuln.today
Analysis Generated
Jun 17, 2026 - 20:00 vuln.today
CVE Published
Jun 17, 2026 - 18:44 cve.org
HIGH 8.2

DescriptionCVE.org

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

AnalysisAI

Pre-authentication denial of service in libssh2 through 1.11.1 allows a malicious SSH server to pin a connecting client's CPU at 100% for over 60 seconds by advertising an attacker-controlled SSH_MSG_EXT_INFO extension count of 0xFFFFFFFF during key exchange. The flaw is reachable before authentication completes, so any client that initiates an SSH session to a hostile or compromised server endpoint is exposed, and no public exploit identified at time of analysis though VulnCheck has published an advisory and the upstream PR diff is public.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stand up malicious SSH server
Delivery
Lure libssh2 client to connect
Exploit
Send SSH_MSG_EXT_INFO with nr_extensions=0xFFFFFFFF
Execution
Client enters unbounded parse loop
Persist
CPU pinned >60s per connection
Impact
Repeat across victims for fleet DoS

Vulnerability AssessmentAI

Exploitation The victim must initiate an outbound SSH connection from a libssh2-linked client (version <= 1.11.1) to a server the attacker controls or has compromised - this is a server-to-client attack, not a server-side exposure, so internet-facing SSH servers are not the target surface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:P/PR:N/UI:N with VA:H captures the real risk profile accurately: network-reachable, low complexity, no privileges or interaction, with availability-only impact and an attack requirement (AT:P) reflecting the need for the victim to actually connect to the attacker-controlled server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious SSH server - for example, by typosquatting a popular git hosting domain, poisoning DNS, or compromising a legitimate Git/SCP endpoint - and waits for libssh2-based clients (CI runners, backup agents, developer git pulls) to connect. During the SSH_MSG_EXT_INFO portion of key exchange, the server sends nr_extensions = 0xFFFFFFFF, and each connecting client pins one CPU core at 100% for at least 60 seconds, enabling fleet-wide degradation of CI pipelines or developer workflows; no public exploit identified at time of analysis but the one-line trigger is directly visible in the patch diff.
Remediation Upstream fix available (PR/commit 17626857d20b3c9a1addfa45979dadcee1cd84a4 merged via PR #1864); a released patched libssh2 version is not independently confirmed in the provided data, so rebuild from the fixed commit or wait for a tagged release after 1.11.1 and then upgrade all downstream consumers. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems, applications, and services using libssh2 (versions through 1.11.1) via dependency scanning and asset management tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-55199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy