Critical libssh2 RCE Vulnerability (CVE-2026-55200) Exploitable via Public PoC
A proof-of-concept (PoC) exploit for CVE-2026-55200, a critical remote code execution (RCE) vulnerability in libssh2, has been released, heightening the risk of attacks against unpatched systems. The flaw affects libssh2 versions up to and including 1.11.1, stemming from an unchecked packet_length field in the ssh2_transport_read() function. This oversight allows attackers to trigger a 32-bit integer wrap, leading to undersized heap allocations and out-of-bounds writes during packet processing.
The PoC, published under the exploitarium repository, includes a C11 verifier demonstrating how a crafted packet_length (e.g., 0xffffffff) can force a tiny memory allocation while retaining a large logical packet size. This mismatch enables subsequent operations to overflow the buffer, corrupting adjacent heap structures. The repository also provides a malicious Python-based SSH server that delivers a malformed packet to exploit vulnerable libssh2 clients without authentication or user interaction, aligning with the vulnerability’s CVSS 9.2 severity rating.
Given libssh2’s integration into tools like curl, backup agents, firmware updaters, and embedded appliances, any software linking the library and connecting to untrusted SSH endpoints is at risk. The PoC includes a local RCE harness that models the exploit’s allocation-to-control pattern, confirming code execution feasibility though real-world exploitation depends on target-specific factors like binary layout and mitigations.
The upstream fix, introduced in commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8, enforces a strict guard against oversized packet_length values. However, no new libssh2 release containing the patch has been widely announced, and downstream projects are still backporting fixes. Organizations are advised to identify and patch affected software while restricting connections to untrusted SSH servers.
Source: https://cybersecuritynews.com/poc-exploit-libssh2-rce-vulnerability/
curl TPRM report: https://www.rankiteo.com/company/the-curl-project
"id": "the1782318614",
"linkid": "the-curl-project",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Software/Applications'}],
'attack_vector': 'Network',
'description': 'A proof-of-concept (PoC) exploit for CVE-2026-55200, a '
'critical remote code execution (RCE) vulnerability in '
'libssh2, has been released. The flaw affects libssh2 versions '
'up to and including 1.11.1, stemming from an unchecked '
'`packet_length` field in the `ssh2_transport_read()` '
'function, leading to a 32-bit integer wrap, undersized heap '
'allocations, and out-of-bounds writes during packet '
'processing. The PoC includes a malicious Python-based SSH '
'server that exploits vulnerable libssh2 clients without '
'authentication or user interaction.',
'impact': {'systems_affected': 'Software linking libssh2 (e.g., curl, backup '
'agents, firmware updaters, embedded '
'appliances)'},
'post_incident_analysis': {'corrective_actions': 'Enforce strict guard '
'against oversized '
'`packet_length` values in '
'libssh2',
'root_causes': 'Unchecked `packet_length` field in '
'`ssh2_transport_read()` function '
'leading to 32-bit integer wrap and '
'undersized heap allocations'},
'recommendations': 'Identify and patch affected software, restrict '
'connections to untrusted SSH servers, monitor for '
'exploitation attempts.',
'references': [{'source': 'exploitarium repository'}],
'response': {'containment_measures': 'Patch affected software, restrict '
'connections to untrusted SSH servers',
'remediation_measures': 'Apply upstream fix (commit '
'97acf3dfda80c91c3a8c9f2372546301d4a1a7a8) '
'or backport patches'},
'title': 'Critical libssh2 RCE Vulnerability (CVE-2026-55200) Exploitable via '
'Public PoC',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-55200'}