Public PoC Reveals Critical libssh2 Pre-Auth Bug (CVE-2026-55200)

1 min read
Source: The Hacker News
Public PoC Reveals Critical libssh2 Pre-Auth Bug (CVE-2026-55200)
Photo: The Hacker News
TL;DR Summary

A public proof-of-concept exposes a critical pre-auth memory-corruption flaw in libssh2 (CVE-2026-55200) that can trigger code execution when a client connects to a malicious SSH server; affects all releases up to 1.11.1 with a CVSS of 9.2. No fixed release exists yet; the patch is in mainline and backports are underway (e.g., Debian testing). Inventory every usage of libssh2, including static or bundled copies, and apply a build containing commit 97acf3d. Until patched, restrict outbound SSH, verify host keys, and monitor for oversized-packet anomalies. Related issues CVE-2026-55199 and CVE-2025-15661 are also noted; exploitation in the wild has not been observed.

Share this article

Reading Insights

Total Reads

1

Unique Readers

9

Time Saved

3 min

vs 4 min read

Condensed

85%

662100 words

Want the full story? Read the original article

Read on The Hacker News