CVE-2026-55200
libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
Description
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
INFO
Published Date :
June 17, 2026, 8:17 p.m.
Last Modified :
July 1, 2026, 5:16 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | HIGH | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update libssh2 to a patched version.
- Apply the fix from commit 7acf3df.
- Validate packet length checks.
Public PoC/Exploit Available at Github
CVE-2026-55200 has a 18 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-55200.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-55200 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-55200
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python C Shell JavaScript Java C# HTML C++ PHP Assembly
None
None
C
exploitarium
Python C Shell JavaScript Java C# C++ PHP Rust Batchfile
Get safe, and straight
Python C Shell JavaScript Java C# C++ PHP Rust Batchfile
None
Python C Shell JavaScript Java C# C++ PHP Rust Batchfile
CVE-2026-55200 - Critical libssh2 Remote Code Execution Vulnerability
C
test
Shell JavaScript C++ Python C PHP Java C# Rust Batchfile
None
Python C Shell JavaScript Java C# C++ PHP Rust Batchfile
KQL detection rules for Microsoft Sentinel and Defender XDR covering the bikini/exploitarium anonymous disclosure — a personal research archive of 15+ distinct vulnerability targets across 109+ tracked files, released without vendor notification on June 23, 2026.
kql threat-detection threat-hunting threat-intelligence
Structured, machine-readable corpus of 23 real-world vulnerabilities — metadata, CWE, root cause, exploit primitive & discovery methodology — distilled from public Exploitarium PoC research. For defensive/educational use.
corpus cwe dataset exploit-database infosec security security-research vulnerability-research
Python
Daily tech-watch digest (AI, dev, DevOps, data, cloud). Auto-published from my watch on baptisteblouin.fr
ai artificial-intelligence automation cloud cloudflare-workers data-engineering devops digest github-actions llm machine-learning mlops newsletter rss tech-news tech-watch ai-news
JavaScript
Loginsoft Vulnerability Intelligence (LOVI)
CVE-2026-55200
C
A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz
Python Shell Java C# JavaScript C++ C Batchfile Rust PHP
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-55200 vulnerability anywhere in the article.
-
The Hacker News
Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of ... Read more
-
The Hacker News
CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware
Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' w ... Read more
-
The Hacker News
BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA
BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthent ... Read more
-
The Hacker News
Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations
An Iranian hacking group affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka C ... Read more
-
The Hacker News
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed 'Januscape' and tracked as CVE-202 ... Read more
-
The Hacker News
Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS scor ... Read more
-
The Hacker News
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws ma ... Read more
-
The Hacker News
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Andro ... Read more
-
The Hacker News
New Avalon Malware Framework Packs CrownX Ransomware Capabilities
Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditio ... Read more
-
The Hacker News
Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "A ... Read more
-
TheCyberThrone
Google Chrome 150 Security Update: 382 Vulnerabilities Fixed
Google has released Chrome 150, delivering one of its most extensive security patch cycles of 2026. The update addresses 382 vulnerabilities, including 15 critical flaws, reinforcing a pattern the sec ... Read more
-
TheCyberThrone
CVE-2026-48558: SimpleHelp OIDC Flaw Added to KEV
Authentication systems are built on trust.But when that trust is broken at the protocol layer, the entire security model collapses.That is exactly what happened with CVE-2026-48558, a critical vulnera ... Read more
-
TheCyberThrone
CVE-2026-55200: Critical libssh2 Flaw Opens Remote Code Execution Path
The SSH protocol is one of the most trusted pillars of secure remote communication. But when the library underneath it breaks, the blast radius can be significant.A newly disclosed vulnerability, libs ... Read more
-
The Hacker News
Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code ... Read more
The following table lists the changes that have been made to the
CVE-2026-55200 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jul. 01, 2026
Action Type Old Value New Value Changed SSVC {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-25T03:55:25.101376Z'} {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T00:00:00+00:00'} -
Modified Analysis by [email protected]
Jun. 30, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added Reference Type CISA-ADP: https://web.archive.org/web/20260623211210/https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc Types: Exploit, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 30, 2026
Action Type Old Value New Value Added Reference https://web.archive.org/web/20260623211210/https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc Removed Reference https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc Removed Reference Type https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc Types: Patch Changed SSVC {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T00:00:00+00:00'} {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-25T03:55:25.101376Z'} -
Initial Analysis by [email protected]
Jun. 26, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:* versions up to (including) 1.11.1 Added Reference Type VulnCheck: https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Types: Patch Added Reference Type VulnCheck: https://github.com/libssh2/libssh2/pull/2052 Types: Patch Added Reference Type VulnCheck: https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c Types: Third Party Advisory Added Reference Type CISA-ADP: https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc Types: Patch -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 25, 2026
Action Type Old Value New Value Changed SSVC {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-24T15:29:08.618049Z'} {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T00:00:00+00:00'} -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 24, 2026
Action Type Old Value New Value Added Reference https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc Changed SSVC {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T00:00:00+00:00'} {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-24T15:29:08.618049Z'} -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 18, 2026
Action Type Old Value New Value Changed SSVC {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T19:44:55.448374Z'} {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T00:00:00+00:00'} -
New CVE Received by [email protected]
Jun. 17, 2026
Action Type Old Value New Value Added Affected [{'repo': 'https://github.com/libssh2/libssh2', 'vendor': 'libssh2', 'product': 'libssh2', 'versions': [{'status': 'affected', 'version': '0', 'versionType': 'semver', 'lessThanOrEqual': '1.11.1'}, {'status': 'unaffected', 'version': '7acf3dfda80c91c3a8c9f2372546301d4a1a7a8', 'versionType': 'git'}], 'defaultStatus': 'unaffected'}] Added Description libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-680 Added Reference https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Added Reference https://github.com/libssh2/libssh2/pull/2052 Added Reference https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 17, 2026
Action Type Old Value New Value Added SSVC {'id': 'CVE-2026-55200', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-06-17T19:44:55.448374Z'}