A public proof-of-concept (PoC) is now available for **CVE-2026-55200**, a severe flaw in **libssh2**. This vulnerability enables a hostile or compromised SSH server to induce memory corruption on a connecting client, potentially leading to remote code execution (RCE). The exploit requires no credentials or user interaction and affects all **libssh2** releases up to and including **1.11.1**, scoring a critical 9.2 on the CVSS 4.0 scale. Crucially, **libssh2** is a client-side SSH library, not a server. This distinction is vital as it is embedded in widely used software such as **curl**, **Git**, **PHP**, various backup agents, firmware updaters, and a myriad of appliances. Any system linking **libssh2** that connects to an untrusted SSH endpoint is a potential target. Many instances are statically linked, meaning standard package updates may not address them, and their presence might go undetected. ## How the Bug Works The flaw resides within `ssh2_transport_read()` in `transport.c`, the function responsible for parsing incoming SSH packets during the handshake. It reads the attacker-controlled `packet_length` field, but historically only rejected values below 1, without enforcing an upper bound. The size calculation adds `packet_length` to other small values using 32-bit arithmetic. Consequently, a `packet_length` of `0xffffffff` wraps around to a tiny number. **libssh2** then allocates a buffer sized for this small number, while subsequent code attempts to write the full, oversized packet into it. This results in an out-of-bounds heap write, classified as **CWE-680** (integer overflow to buffer overflow) – a classic primitive for code execution. The [patch](https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8) introduces the missing check, rejecting any `packet_length` exceeding `LIBSSH2_PACKET_MAXPAYLOAD` before the arithmetic takes place. This isn't the first time **libssh2** has encountered such issues. In 2019, version **1.8.1** addressed nine flaws, including **CVE-2019-3855**, a nearly identical integer overflow in its transport read function that also allowed a malicious server to execute code on a connecting client. Seven years later, a similar vulnerability has re-emerged in the same codebase. Security researcher **Tristan Madani** reported the issue, and maintainers merged the patch via [pull request #2052](https://github.com/libssh2/libssh2/pull/2052) on June 12. **VulnCheck** published the CVE on June 17. A public PoC has been [published in "exploitarium"](https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc), a GitHub archive of exploit code. This archive includes a locally verified SSH trigger scaffold and a controlled local RCE harness for the **libssh2** bug, not a turnkey remote exploit. Achieving reliable code execution against a live application would still depend on the specific target binary, allocator behavior, existing mitigations, and how the software integrates **libssh2**. The author of "exploitarium" concedes that the archive was released incomplete, with some entries being weak and fuzzing driven by AI. As of now, **CISA's** exploitation rating for the CVE remains 'none', and no in-the-wild exploitation has been reported. ## What to Do There is currently no official fixed **libssh2** release. The patch is in the mainline source, and a tagged release is [still being prepared](https://seclists.org/oss-sec/2026/q2/1010). Consequently, Linux distributions and downstream projects are backporting the fix themselves; **Debian**, for instance, already has a repaired build in its testing branch. **NHS England Digital** has [issued an advisory](https://digital.nhs.uk/cyber-alerts/2026/cc-4799) urging affected organizations to update. * **Inventory assets:** Identify all instances linking **libssh2**, including static or bundled copies that package managers might not flag. **curl**, **Git**, and **PHP** deployments are common carriers. * **Apply patches:** Implement a build that includes commit `97acf3d`, whether a distribution backport or a patched source build. Monitor your vendor's advisory channels for release status. * **Mitigate risks:** Until patched, restrict outbound SSH connections to trusted servers and verify host keys. Prioritize patching clients that connect to external SSH servers or resolve hosts through names that an attacker could redirect. Watch for oversized-packet anomalies and unexplained client crashes. Additionally, patch other related vulnerabilities: **CVE-2026-55199** (CVSS 8.2), a denial-of-service flaw that traps a connecting client in a CPU loop via a bogus extension count, and **CVE-2025-15661** (CVSS 8.3), an SFTP heap over-read. The core issue is a pre-authentication memory-corruption bug in code embedded in more clients and appliances than fully mapped. The critical questions remain: how quickly will the local harness be weaponized into a dependable remote exploit, and how many bundled copies will remain vulnerable due to forgotten integrations of **libssh2**?