Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 30, 2026 · 5 min read

libssh2 CVE-2026-55200: PoC Drops for Critical SSH RCE

An integer overflow in ssh2_transport_read() lets an unauthenticated attacker execute code on any host running the affected library. A public proof of concept dropped June 29 — and libssh2 is embedded in PHP, curl, R, and thousands of applications worldwide.

On June 29, 2026, a public proof of concept for CVE-2026-55200 appeared on GitHub, targeting a pre-authentication remote code execution vulnerability in libssh2 — a widely used open source C library that implements the SSHv2 protocol. The flaw exists in all versions through 1.11.1. The patched release, 1.11.2, was available before the PoC dropped, but the gap between patch availability and patch adoption across the ecosystem means a significant fraction of deployments remain exposed as of publication.

libssh2 is not a server. It is a client library — embedded inside applications that need to speak SSH to remote systems. PHP's ssh2 extension uses it. curl uses it for SFTP support. R's ssh package uses it. Any application that links against libssh2 and connects to an attacker-controlled SSH server is potentially exploitable — the attack surface is the client connecting to a malicious endpoint, not just servers accepting inbound connections.

Key Takeaways

  • CVE-2026-55200 is an integer overflow in ssh2_transport_read() triggered during the SSH handshake — before authentication.
  • CVSS score: 9.2 (Critical). No valid credentials required to trigger the overflow.
  • All libssh2 versions through 1.11.1 are affected. Patch to 1.11.2.
  • A public PoC was released June 29, 2026, lowering the exploitation barrier significantly.
  • Attack vector: a malicious SSH server sends a crafted handshake packet to any client built on libssh2. This flips the conventional server-side exposure model — the client is the victim.
  • PHP, curl (SFTP mode), R's ssh package, and any application linking against libssh2 are potentially affected.
Dark terminal screen showing an SSH connection handshake being exploited, with a red CVE indicator and integer overflow stack trace

What Is the Vulnerability?

The flaw is an integer overflow in ssh2_transport_read(), the core packet parsing function that handles the SSH transport layer during connection setup. The SSH handshake exchanges capability packets between client and server before any authentication takes place. A malicious server can craft a packet with a manipulated length field that, when processed by the integer arithmetic in ssh2_transport_read(), overflows a 32-bit integer and causes the calculated buffer size to wrap to a small number.

The result is a heap buffer overflow: the library allocates a buffer based on the wrapped (undersized) value but then writes packet data of the original (large) length into it. This corrupts heap memory in a controlled manner. The public PoC demonstrates leveraging this corruption for arbitrary code execution in the context of the process that linked against libssh2. On a typical server running PHP or a data pipeline using curl for SFTP transfers, that process context can include database credentials, filesystem access, or session tokens.

The vulnerability was discovered by the phantom-sec research group and reported to the libssh2 maintainers before public disclosure. The fix in libssh2 1.11.2 adds bounds checking on the length field before the allocation to prevent the integer wrap.

Why Is Pre-Auth RCE Especially Dangerous?

Most SSH exploitation scenarios assume a post-authentication attack surface — a weakness that can only be reached after providing valid credentials. Pre-auth vulnerabilities eliminate that requirement entirely. An attacker who can get a libssh2-based client to connect to an attacker-controlled endpoint triggers the overflow before any identity is established. This has several implications:

  • No credential requirement: The exploit fires during the SSH handshake, before the library even presents credentials to the server.
  • Client as victim: The attack originates from the server side. Any application that performs outbound SFTP/SSH connections — backup scripts, deployment pipelines, data sync jobs — can be targeted if an attacker can position a malicious server in the connection path (via DNS hijacking, BGP manipulation, MITM on an insecure network, or compromising a legitimate SSH target).
  • Supply chain exposure: Applications that bundle libssh2 (or depend on it transitively through curl or PHP extensions) may not update their bundled copy when the system libssh2 is patched. Container images, compiled binaries, and vendor packages all carry their own copy of the library.

What Applications Are Affected?

The direct attack surface is any process that links against libssh2 and opens an outbound SSH or SFTP connection during a session where an attacker can influence the target endpoint. Common exposure points include:

  • PHP with the ssh2 extension: Any PHP application that uses ssh2_connect() or SFTP functions
  • curl in SFTP mode: curl uses libssh2 as its SSH backend; scripts using sftp:// URLs are affected
  • R's ssh package: The CRAN ssh package links against libssh2
  • Deployment and CI/CD tooling: Any pipeline step that uses SFTP transfers for artifact delivery or remote execution via libssh2
  • Embedded systems and IoT: Devices that use libssh2 for management plane connectivity

OpenSSH (the standard ssh / sshd stack) is NOT affected — it does not use libssh2. libssh (a different library) is also a separate codebase and is not affected by this CVE. The vulnerability is specific to the libssh2 library.

How to Check and Patch

Check the installed libssh2 version on your systems:

Debian / Ubuntu:

dpkg -l libssh2-1
# Update:
apt-get update && apt-get upgrade libssh2-1

RHEL / Fedora / Rocky:

rpm -q libssh2
# Update:
dnf update libssh2

macOS (Homebrew):

brew list --versions libssh2
brew upgrade libssh2

Find processes using libssh2 on Linux:

lsof | grep libssh2

For container images and compiled applications, the system library update is not sufficient — any bundled copy of libssh2 inside a container image, Python wheel, or vendor package needs to be rebuilt against 1.11.2 or patched separately. Check your container base images for their libssh2 version and rebuild if necessary.

If an immediate patch is not possible, the short-term mitigation is to ensure libssh2-based clients only connect to known-good endpoints over trusted network paths (no connections to user-supplied SSH targets without validation) and monitor for anomalous outbound SSH/SFTP connections.

Context: A Busy Month for Client-Side SSH Risk

CVE-2026-55200 arrives after several months of elevated SSH and kernel-level vulnerability disclosures. In May 2026, researchers published CVE-2026-46333, a 9-year-old logic flaw in the Linux kernel's ptrace path that affected default Debian, Ubuntu, and Fedora configurations. That same month, the DirtyFrag / Fragnesia vulnerabilities — covered in this analysis of AI-discovered Linux privilege escalation bugs — demonstrated the page cache corruption class. CVE-2026-55200 sits at a different layer (userspace library rather than kernel) but shares the same theme: foundational infrastructure components that ship in default configurations across millions of hosts are carrying high-severity bugs that public researchers and, increasingly, public PoC authors are finding before defenders have patched.

With a CVSS of 9.2 and a working PoC publicly available, CVE-2026-55200 should be treated as actively exploitable. Patch or apply network controls before the window between PoC release and active exploitation closes.

Sources: libssh2 1.11.2 Release Notes | NVD: CVE-2026-55200 | Tenable CVE Detail.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.