Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
UnratedPublic exploit

libssh2 ssh2_transport_read() packet_length Out-of-Bounds Write RCE

IdentifiersCVE-2026-55200CWE-680

CVE-2026-55200 is a critical memory corruption vulnerability in libssh2 affecting versions through 1.11.1. The flaw is in ssh2_transport_read() in src/transport.c, where the library accepts an attacker-controlled SSH packet_length value from a remote peer without enforcing the libssh2 maximum packet-size boundary before arithmetic and allocation decisions are made. In the vulnerable full-packet decryption path, an excessively large packet_length can cause integer wraparound in the size calculation used for heap allocation, resulting in an undersized buffer being allocated while subsequent processing still uses the original oversized packet length. This creates an out-of-bounds heap write condition. The issue is reachable pre-authentication during SSH transport negotiation, so a malicious or impersonated SSH server can trigger it as soon as a libssh2-based client connects.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can corrupt heap memory, crash the client process, and cause denial of service. Because the corruption is attacker-influenced and occurs in a pre-authentication network-reachable code path, the vulnerability may also permit unauthenticated remote code execution in applications using libssh2, depending on allocator behavior, process mitigations, and how the calling application embeds and invokes the library. In practical terms, exploitation can give an attacker arbitrary code execution in the security context of the vulnerable client application.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing libssh2-based clients from connecting to untrusted SSH/SFTP/SCP servers, enforcing strict host key verification, and limiting opportunities for redirection or interception such as DNS poisoning, BGP hijack, or MITM scenarios. Network controls can be used to restrict outbound SSH connections to trusted destinations only. Monitoring for anomalous SSH traffic or malformed/oversized packets may help detect exploitation attempts, but this is only a compensating control and not a substitute for patching.

Remediation

Patch, then assume compromise.

Upgrade libssh2 to a version containing the upstream fix for this issue. The content identifies the fix as commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 / 7acf3df, which adds boundary validation rejecting packet_length values greater than LIBSSH2_PACKET_MAXPAYLOAD before the vulnerable arithmetic occurs. Where distribution packages are used, apply the vendor-provided patched package; for Debian stable, the cited fixed package version is 1.11.1-1+deb13u1. Also identify and update statically linked, bundled, or embedded copies of libssh2 in dependent products.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2026-55200MaturityPoCVerified exploit

This repository is a small standalone proof-of-concept exploit consisting of one C source file and a README. The main file, CVE-2026-55200.c, implements a multithreaded malicious SSH server that listens on a configurable TCP port (default 2222), accepts inbound client connections, performs a minimal SSH-like handshake, and then sends a crafted packet designed to trigger an out-of-bounds write in vulnerable libssh2 clients. The exploit flow is: send attacker-controlled SSH banner, receive client banner, send a fake SSH_MSG_KEXINIT structure, receive client key-exchange data, then transmit a malicious packet with packet_length set to 0xFFFFFFFF and a body filled largely with 0x41 bytes. The code uses pthreads to handle multiple clients concurrently and basic socket APIs for bind/listen/accept/send/recv. The README documents the claimed target as libssh2 <= 1.11.1 and describes the vulnerability as a network-reachable packet length validation flaw in SSH transport processing. There is no post-exploitation logic, shell payload, callback infrastructure, or framework integration; the repository is focused purely on triggering memory corruption/DoS and potentially enabling further exploitation research.

0xBlackashDisclosed Jun 23, 2026cmarkdownnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Libssh2Libssh2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

51 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

51 SOURCESView more in app
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A critical pre-authentication remote code execution vulnerability in libssh2 caused by an out-of-bounds heap write in ssh2_transport_read() when packet_length is not properly bounded during SSH transport negotiation.

Read more
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A critical pre-authentication remote code execution vulnerability in libssh2 caused by an out-of-bounds heap write in ssh2_transport_read() when processing attacker-controlled packet_length values during SSH transport negotiation.

Read more
cyber security newsNews
Jun 23, 2026
Critical libssh2 Vulnerability Allows Attackers to Execute Remote Code Via Malicious SSH packets

A critical remote code execution vulnerability in the libssh2 library caused by improper validation of the packet_length field in incoming SSH packets, leading to integer overflow, out-of-bounds heap write, and potential full system compromise.

Read more
cvefeed high severityNews
Jun 17, 2026
CVE-2026-55200 - libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

An out-of-bounds write vulnerability in libssh2's ssh2_transport_read() caused by unchecked packet_length values, allowing remote attackers to corrupt heap memory and potentially achieve remote code execution.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity46

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-55200
NVD
nvd.nist.gov/vuln/detail/CVE-2026-55200
MITRE CWE · CWE-680
cwe.mitre.org