Description
libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
Published: 2026-06-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libssh2 includes a pre‑authentication denial of service flaw in the SSH_MSG_EXT_INFO handler. A malicious SSH server can send an extreme extension count value during key exchange, causing the client to enter an unchecked loop while processing extensions. The loop can use excessive CPU for more than one minute, exhausting the client’s processing capacity and denying legitimate SSH traffic.

Affected Systems

The vulnerability affects libssh2 releases up through 1.11.1. Clients built with libssh2 1.11.1 or earlier are vulnerable until the library is updated to the fixed commit 1762685 or a later release that incorporates the fix.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1 % implies a low probability of exploitation at present. The flaw is not in the CISA KEV catalog. Exploitation requires control over an SSH server that a client connects to, as the attacker must send the crafted extension count. The impact is limited to service availability on the affected client; confidentiality and integrity are not compromised.

Generated by OpenCVE AI on June 24, 2026 at 10:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh2 to the fixed commit 1762685 (or a later release such as 1.11.2 that incorporates the fix).
  • If an upgrade is not immediately feasible, apply a local patch or fork that aborts key‑exchange when the extension count exceeds a safe threshold.
  • Restrict outbound SSH connections to trusted servers and monitor CPU usage during key exchange; terminate or alert if an abnormal CPU spike occurs.

Generated by OpenCVE AI on June 24, 2026 at 10:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6365-1 libssh2 security update
Ubuntu USN Ubuntu USN USN-8486-1 libssh2 vulnerabilities
History

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
Title libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler
First Time appeared Libssh2
Libssh2 libssh2
Weaknesses CWE-835
CPEs cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*
Vendors & Products Libssh2
Libssh2 libssh2
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T15:31:59.479Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55199

cve-icon Vulnrichment

Updated: 2026-06-18T15:31:52.633Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T18:44:00Z

Links: CVE-2026-55199 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses
  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')