Integer Overflow Fuels Pre-Authentication Exploit
CVE-2026-55200 is categorized as an integer overflow to buffer overflow vulnerability (CWE-680). The issue resides in the `ssh2_transport_read()` function within `transport.c`, which processes incoming SSH packets. An attacker can send a `packet_length` of `0xffffffff`, causing the value to wrap around due to 32-bit arithmetic. This results in an undersized buffer allocation, leading to a heap write outside the buffer’s bounds. The public PoC, available in the “exploitarium” GitHub repository, demonstrates a local trigger and a controlled local RCE harness for the bug. This vulnerability is rated 9.2 (Critical) on the CVSS v4.0 scale.
Curl, Git, PHP Among Affected Software
The risk from this vulnerability is amplified by the widespread use of `libssh2` across various software. Any application or appliance that statically or dynamically links to a vulnerable `libssh2` version and initiates outbound SSH connections to untrusted servers is at risk. This includes prominent tools such as `curl`, `Git`, PHP, backup agents, firmware updaters, and network appliances. Debian users on bullseye (1.9.0-2+deb11u1), bookworm (1.10.0-3), and trixie (1.11.1-1) are specifically noted as affected.
Immediate Patching and Monitoring Advised
While there is currently no official `libssh2` release containing the fix for CVE-2026-55200, a patch is available in the mainline source through commit 97acf3df. Some Linux distributions have already backported this patch. Organizations must immediately inventory all software and appliances utilizing `libssh2` and apply patched builds or backports as soon as possible.
Additionally, restricting outbound SSH connections to trusted servers and verifying host keys can help reduce exposure. As of this advisory, there are no confirmed reports of in-the-wild exploitation, but the public PoC significantly increases the risk of imminent attacks. Organizations should remain vigilant for signs of exploitation, as Advanced Persistent Threat (APT) groups may incorporate this vulnerability into their toolkits.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates


