Critical libssh2 Flaw Exposes Curl, Git, PHP to RCE Risk
A critical client-side SSH vulnerability, identified as CVE-2026-55200, has been disclosed in the `libssh2` library. This flaw allows a malicious or compromised SSH server to trigger memory corruption on a connecting client, potentially leading to remote code execution without requiring credentials or user interaction.A public Proof-of-Concept (PoC) exploit has been released for CVE-2026-55200, a critical out-of-bounds write vulnerability in the `libssh2` client-side SSH library. The flaw affects all `libssh2` versions up to and including 1.11.1. This vulnerability is particularly dangerous as it can be exploited pre-authentication, during the handshake phase, before any credentials are exchanged.

Integer Overflow Fuels Pre-Authentication Exploit

CVE-2026-55200 is categorized as an integer overflow to buffer overflow vulnerability (CWE-680). The issue resides in the `ssh2_transport_read()` function within `transport.c`, which processes incoming SSH packets. An attacker can send a `packet_length` of `0xffffffff`, causing the value to wrap around due to 32-bit arithmetic. This results in an undersized buffer allocation, leading to a heap write outside the buffer’s bounds. The public PoC, available in the “exploitarium” GitHub repository, demonstrates a local trigger and a controlled local RCE harness for the bug. This vulnerability is rated 9.2 (Critical) on the CVSS v4.0 scale.

Curl, Git, PHP Among Affected Software

The risk from this vulnerability is amplified by the widespread use of `libssh2` across various software. Any application or appliance that statically or dynamically links to a vulnerable `libssh2` version and initiates outbound SSH connections to untrusted servers is at risk. This includes prominent tools such as `curl`, `Git`, PHP, backup agents, firmware updaters, and network appliances. Debian users on bullseye (1.9.0-2+deb11u1), bookworm (1.10.0-3), and trixie (1.11.1-1) are specifically noted as affected.

Immediate Patching and Monitoring Advised

While there is currently no official `libssh2` release containing the fix for CVE-2026-55200, a patch is available in the mainline source through commit 97acf3df. Some Linux distributions have already backported this patch. Organizations must immediately inventory all software and appliances utilizing `libssh2` and apply patched builds or backports as soon as possible.

Additionally, restricting outbound SSH connections to trusted servers and verifying host keys can help reduce exposure. As of this advisory, there are no confirmed reports of in-the-wild exploitation, but the public PoC significantly increases the risk of imminent attacks. Organizations should remain vigilant for signs of exploitation, as Advanced Persistent Threat (APT) groups may incorporate this vulnerability into their toolkits.

Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates