CVE-2026-55200 – libssh2 Security Update

CVSS 8.1 IMPORTANT Critical or Zero Day – Immediate Deployment

“One unchecked packet is all it takes to turn a secure connection into a security risk.”

This security update addresses CVE-2026-55200, a high-severity memory corruption vulnerability in libssh2. The issue exists in ssh2_transport_read(), where insufficient validation of the packet_length field can lead to an out-of-bounds heap write. A remote attacker can send a specially crafted SSH packet to corrupt memory, potentially resulting in remote code execution. The CVSS score is 8.1, which is High severity.

The update corrects the packet length validation logic to enforce proper bounds checking and prevent heap corruption. A public proof-of-concept has been confirmed for this vulnerability. There is no verified evidence of active real-world exploitation.

Key Details

Affected Product
Libssh2 Libssh2
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-680
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.