Critical libssh2 Vulnerability Allows Remote Code Execution Via Malicious SSH Packets
A critical integer overflow vulnerability in libssh2 (CVE-2026-55200, CVSS 9.2) lets unauthenticated attackers execute arbitrary code by sending crafted SSH packets, affecting all versions up to 1.11.1.
A critical security flaw has been disclosed in the widely used libssh2 library, a C library implementing the SSH2 protocol that underpins countless applications, automation frameworks, and file transfer tools. Tracked as CVE-2026-55200 and carrying a CVSS score of 9.2, the vulnerability allows remote attackers to achieve unauthenticated remote code execution by sending specially crafted SSH packets. The flaw, classified under CWE-680 (Integer Overflow to Buffer Overflow), was responsibly disclosed by security researcher Tristan Madani and patched on June 17, 2026.
The vulnerability resides in the ssh2_transport_read() function, which is responsible for processing incoming SSH transport layer packets. An integer overflow occurs when the function fails to properly validate the packet_length field in a crafted SSH packet. By supplying an excessively large value for this field, an attacker can trigger an integer overflow that leads to an out-of-bounds heap write. This memory corruption condition can then be exploited to overwrite adjacent heap data, enabling full remote code execution without requiring any authentication or user interaction.
Because libssh2 is a foundational library included in numerous SSH clients, servers, automation frameworks, and embedded systems, the exposure is extremely broad. Enterprise environments, cloud-based services, and IoT devices that rely on libssh2 for secure communications are all potentially at risk. The flaw affects all libssh2 versions 1.11.1 and earlier. The attack vector is network-based and requires no user interaction, making it highly likely to be weaponized in automated scanning and exploitation campaigns.
A patch has been released in commit 7acf3df on the libssh2 GitHub repository, which enforces strict validation of the packet_length value before it is used in memory allocation or copy operations. The fix ensures that integer overflows cannot occur and that buffer boundaries are respected. Organizations are strongly urged to upgrade to a patched version immediately. Security teams should also audit their software inventory to identify any applications that statically link or bundle an affected version of libssh2, as these will require recompilation or replacement.
As of publication, there are no public reports of active exploitation in the wild, but the high CVSS score and the ease of triggering the vulnerability make it a prime target for threat actors. Given libssh2's ubiquity in both consumer and enterprise applications, CISA and other cybersecurity agencies are likely to issue advisories in the coming days. The disclosure follows a growing trend of critical vulnerabilities in foundational cryptographic libraries that can have cascading effects across the software supply chain.
This vulnerability underscores the importance of rigorous input validation in low-level networking code, especially in libraries that are widely reused. The coordinated response between the researcher and the libssh2 maintainers helped ensure a patch was available before public disclosure, but the window for attackers to reverse-engineer the fix and develop exploits is now open. Organizations should treat this as an urgent patching priority.