Public PoC Reveals Critical libssh2 Pre-Auth Bug (CVE-2026-55200)

A public proof-of-concept exposes a critical pre-auth memory-corruption flaw in libssh2 (CVE-2026-55200) that can trigger code execution when a client connects to a malicious SSH server; affects all releases up to 1.11.1 with a CVSS of 9.2. No fixed release exists yet; the patch is in mainline and backports are underway (e.g., Debian testing). Inventory every usage of libssh2, including static or bundled copies, and apply a build containing commit 97acf3d. Until patched, restrict outbound SSH, verify host keys, and monitor for oversized-packet anomalies. Related issues CVE-2026-55199 and CVE-2025-15661 are also noted; exploitation in the wild has not been observed.
- Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw The Hacker News
- Critical libssh2 vulnerability: Proof-of-concept exploit released heise online
- Critical flaw in popular SSH library enable hackers hijack systems remotely Cybernews
- PoC Exploit Released for libssh2 Remote Code Execution Vulnerability CyberSecurityNews
- Critical libssh2 Vulnerability Lets Remote Attackers Execute Code via Crafted SSH Packets gbhackers.com
Reading Insights
1
9
3 min
vs 4 min read
85%
662 → 100 words
Want the full story? Read the original article
Read on The Hacker News