Executive Summary
A public proof-of-concept (PoC) exploit has been released for CVE-2026-55200, a critical out-of-bounds write vulnerability in the libssh2 client-side SSH library. This flaw enables a malicious or compromised SSH server to trigger memory corruption on a connecting client, potentially resulting in remote code execution (RCE) without requiring credentials or user interaction. The vulnerability affects all libssh2 versions up to and including 1.11.1. The risk is amplified by the widespread use of libssh2 in software such as curl, Git, PHP, backup agents, firmware updaters, and various network appliances. Immediate action is required to inventory, patch, and monitor affected assets.
Technical Information
CVE-2026-55200 is an integer overflow to buffer overflow vulnerability (CWE-680) in the libssh2 SSH client library. The flaw resides in the ssh2_transport_read() function within transport.c, which processes incoming SSH packets during the handshake phase. The function reads an attacker-controlled packet_length field and only rejects values below 1, failing to enforce an upper bound. If an attacker sends a packet_length of 0xffffffff, the value wraps around due to 32-bit arithmetic, resulting in a small buffer allocation. The subsequent code then writes the full, oversized packet into this undersized buffer, causing an out-of-bounds heap write.
This vulnerability is particularly dangerous because it can be exploited pre-authentication, before any credentials are exchanged. A remote attacker controlling an SSH server can send a specially crafted SSH packet to a vulnerable libssh2 client, triggering the vulnerability during the handshake phase. This can lead to memory corruption and, under certain conditions, remote code execution on the client system.
The public PoC, originally released in the "exploitarium" GitHub repository, demonstrates a locally verified SSH trigger and a controlled local RCE harness for the libssh2 bug. While the PoC is not a turnkey remote exploit, reliable exploitation depends on the target binary, memory allocator behavior, mitigations, and how libssh2 is embedded in the application. The vulnerability is rated 9.2 (Critical) on the CVSS v4.0 scale.
libssh2 is widely used as an SSH client library in numerous open-source and commercial products. Any software statically or dynamically linking libssh2 and initiating outbound SSH connections to untrusted servers is at risk. This includes, but is not limited to, curl, Git, PHP, backup agents, firmware updaters, and network appliances.
The vulnerability was reported by a security researcher (@TristanInSec) and fixed in commit 97acf3df. As of the time of writing, no official libssh2 release includes the fix, but some Linux distributions have backported the patch.
Exploitation in the Wild
As of this advisory, there are no confirmed reports of in-the-wild exploitation of CVE-2026-55200. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and CISA does not confirm active exploitation. However, the public availability of a PoC significantly increases the risk of imminent exploitation, especially by opportunistic attackers and automated scanning tools. Organizations should assume that exploitation attempts may occur at any time and take immediate steps to mitigate risk.
APT Groups using this vulnerability
There is currently no public attribution of CVE-2026-55200 exploitation to any specific Advanced Persistent Threat (APT) groups. However, the nature of this vulnerability—a pre-authentication remote code execution flaw in a widely deployed client library—makes it highly attractive to both targeted and opportunistic threat actors. The vulnerability aligns with MITRE ATT&CK techniques such as Exploit Public-Facing Application (T1190) and Exploitation of Remote Services (T1210). Organizations should remain vigilant for signs of exploitation, as APT groups may incorporate this vulnerability into their toolkits in the near future.
Affected Product Versions
All versions of libssh2 up to and including 1.11.1 are affected by CVE-2026-55200. This includes any software or appliance that statically or dynamically links to a vulnerable version of libssh2. Notable affected products and distributions include curl (when built with libssh2 support), Git, PHP, backup agents, firmware updaters, and network appliances. Specific affected package versions include Debian bullseye (1.9.0-2+deb11u1), bookworm (1.10.0-3), and trixie (1.11.1-1). Fixed versions are available in trixie (security) 1.11.1-1+deb13u1 and forky/sid 1.11.1-4. Any downstream software embedding libssh2 <= 1.11.1 is vulnerable unless specifically patched or backported.
Workaround and Mitigation
There is currently no official libssh2 release containing the fix for CVE-2026-55200. However, the patch is available in the mainline source and has been backported by some Linux distributions. Organizations should immediately inventory all software and appliances using libssh2, including statically linked or bundled copies. Apply patched builds or backports that include the fix as soon as possible. Restrict outbound SSH connections to trusted servers and verify host keys to reduce exposure. Monitor for signs of exploitation, such as unusual SSH client crashes, oversized SSH packet anomalies in network traffic logs, and unexpected outbound connections from appliances or software known to use libssh2. Refer to vendor advisories from NHS England Digital, Red Hat, and VulnCheck for additional guidance.
Indicators of Compromise
The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement. At the time of writing, no public indicators of compromise (IOCs) specific to CVE-2026-55200 have been published. Organizations should monitor for behavioral anomalies as described above.
References
NVD CVE-2026-55200, The Hacker News: Public PoC Released for Critical libssh2 CVE-2026-55200, VulnCheck Advisory, libssh2 Patch Commit, libssh2 Pull Request #2052, Red Hat CVE-2026-55200, CVE.org Record, Reddit: Public PoC for CVE-2026-55200, Debian Security Tracker, SUSE Advisory
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform that empowers organizations to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our platform delivers actionable intelligence, automated workflows, and deep visibility into vendor security posture, helping you stay ahead of emerging threats and regulatory requirements. We are happy to answer any questions at info@rescana.com.
