Skip to main content

libssh2 CVE-2026-55200

CRITICAL
Integer Overflow to Buffer Overflow (CWE-680)
2026-06-17 VulnCheck
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated, but exploitation requires the libssh2 client to connect to a malicious SSH server and reliable heap RCE against modern hardening raises AC to High.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 20:01 vuln.today
Analysis Generated
Jun 17, 2026 - 20:01 vuln.today

DescriptionCVE.org

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

AnalysisAI

Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_read() that allows attackers to send oversized SSH packets and corrupt heap memory. The flaw was reported by VulnCheck and is fixed upstream in commit 97acf3df (PR #2052), which adds an upper-bound check against LIBSSH2_PACKET_MAXPAYLOAD. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify libssh2-using client
Delivery
Lure client to attacker SSH server
Exploit
Send crafted packet with oversized packet_length
Execution
Trigger OOB heap write in ssh2_transport_read()
Persist
Hijack control flow in client process
Impact
Execute arbitrary code as client user

Vulnerability AssessmentAI

Exploitation The vulnerable code path is reached when a libssh2-based client establishes an SSH transport session with an attacker-controlled or compromised SSH server and processes a server-sent binary packet whose 32-bit packet_length header exceeds LIBSSH2_PACKET_MAXPAYLOAD; no victim authentication, credentials, or user interaction beyond initiating the SSH connection is required (PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N indicates a network-reachable, low-complexity, unauthenticated flaw with high impact across the CIA triad, but the AT:P (Attack Requirements: Present) hint is meaningful - exploitation requires the victim libssh2 client to connect to an attacker-controlled or compromised SSH server, which is not a default condition of being on the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious SSH server (or compromises an existing one) and lures or coerces a victim system using a vulnerable libssh2 client - for example, a CI runner cloning over git+ssh or a backup agent performing SCP - into connecting to it. During the SSH transport handshake the server emits a crafted binary packet with a packet_length field far exceeding LIBSSH2_PACKET_MAXPAYLOAD, triggering the out-of-bounds heap write in ssh2_transport_read() and pivoting to remote code execution in the context of the SSH client process. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 from https://github.com/libssh2/libssh2/pull/2052 or upgrade to the first tagged libssh2 release that includes it (post-1.11.1) once distributors publish it, and rebuild downstream consumers (curl, language bindings, container base images) against the patched library. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct comprehensive inventory of all systems and applications using libssh2, prioritizing production SSH infrastructure and access management systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Micro 5.3 Not-Affected

Share

CVE-2026-55200 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy