libssh2 SSH Packet Length OOB Heap Write / Unauthenticated RCE (CVE-2026-55200)
by TristanInSec (discovery); Ashraf Zaryouh / 0xBlackash (PoC) · 2026-06-30
- Severity
- Critical
- CVE
- CVE-2026-55200
- Category
- network
- Affected product
- libssh2 (SSH client library)
- Affected versions
- libssh2 0.x through 1.11.1
- Disclosed
- 2026-06-30
- Patch status
- patched
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-55200
- https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c
- https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
- https://github.com/libssh2/libssh2/pull/2052
- https://github.com/0xBlackash/CVE-2026-55200
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-30 |
| Last Updated | 2026-06-30 |
| Author / Researcher | TristanInSec (discovery); Ashraf Zaryouh / 0xBlackash (PoC) |
| CVE / Advisory | CVE-2026-55200 |
| Category | network |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3.1, NIST); 9.2 (CVSSv4, VulnCheck) |
| Status | PoC |
| Tags | RCE, OOB-write, heap-corruption, libssh2, SSH, integer-overflow, unauthenticated, C, network |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | libssh2 (SSH client library) |
| Versions Affected | libssh2 0.x through 1.11.1 |
| Language / Platform | C; Linux / macOS / Windows (any platform embedding libssh2) |
| Authentication Required | No |
| Network Access Required | Yes (client connects to attacker-controlled SSH server) |
Summary
CVE-2026-55200 is a critical heap out-of-bounds write in libssh2’s SSH transport layer (ssh2_transport_read() in src/transport.c). The function validates that packet_length is greater than zero but performs no upper-bound check, allowing an attacker-controlled SSH server to supply packet_length = 0xFFFFFFFF. libssh2 then allocates insufficient memory and writes packet data far beyond the buffer boundary, corrupting heap structures. The vulnerability requires no authentication — any libssh2 client that connects to a malicious server is at risk. Fixed in libssh2 commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 (PR #2052, merged June 12, 2026).
Vulnerability Details
Root Cause
ssh2_transport_read() in src/transport.c validates packet length with only a lower-bound check:
| |
No upper bound is enforced. The fix adds:
| |
When an attacker supplies packet_length = 0xFFFFFFFF, the library allocates a small buffer then writes the oversized payload into heap memory beyond the allocation, corrupting adjacent heap metadata and data.
Attack Vector
The attacker operates a malicious SSH server. Any libssh2 client connecting to that server is vulnerable regardless of user interaction — the vulnerability triggers during the SSH handshake before authentication.
Attack Steps
- Run the PoC server on a chosen port (default 2222).
- Lure or wait for a libssh2 client to connect (e.g., a CI/CD pipeline, SFTP client, embedded device, or any app using libssh2 for SSH).
- PoC sends a valid SSH banner and
SSH_MSG_KEXINITto complete the handshake preamble. - PoC sends a crafted packet with
packet_length = 0xFFFFFFFFU. - Vulnerable client’s heap is corrupted; DoS or RCE depending on heap layout.
Impact
- Denial of service (process crash) in all vulnerable clients.
- Heap corruption enabling arbitrary code execution in exploitable heap layouts.
- Any software or language binding built on libssh2 is affected: Rust
ssh2crate, Pythonlibssh2-python, PHP SSH2 extension, embedded systems, network appliances, CI/CD agents.
Environment / Lab Setup
Attacker: Linux host with gcc + pthread
PoC role: Malicious SSH server
Victim: Any libssh2 client (libssh2 0.x – 1.11.1) connecting to attacker server
Build and Run
| |
Then connect any libssh2 client to the PoC server:
| |
Proof of Concept
Exploit Flow
The PoC implements a minimal malicious SSH server:
- Sends
SSH-2.0-0xBlackash-Malicious\r\nbanner. - Exchanges
SSH_MSG_KEXINITwith the connecting client. - Sends a crafted SSH record with
packet_length = 0xFFFFFFFFUafter the key exchange. - Client’s
ssh2_transport_read()passes the lower-bound check, allocates a small buffer, and attempts to read/write0xFFFFFFFFbytes — corrupting heap memory.
Expected Output
[*] Listening on port 2222...
[*] Client connected: 192.168.1.50:54321
[*] Sending malicious banner...
[*] Handshake in progress...
[*] Sending crafted packet: length=0xffffffff
[*] Done. Check client for crash/corruption.
Client-side (vulnerable):
Segmentation fault (core dumped)
Detection & Indicators of Compromise
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade libssh2 to ≥ 1.11.2 or rebuild against commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 |
| Verify | Confirm LIBSSH2_VERSION ≥ 1.11.2 in linked applications |
| Network | Restrict outbound SSH connections to trusted servers; block connections to unknown SSH endpoints |
References
| |