Impact
The vulnerability is an out‑of‑bounds write in the function that reads SSH packets, where the packet_length field is unchecked. When an attacker sends a packet with an excessively large packet_length, the library writes past its buffer, corrupting heap memory. This corruption can be leveraged to execute arbitrary code on the host, breaching confidentiality, integrity, and availability of the affected system.
Affected Systems
The libssh2 library, a widely used SSH client library, is vulnerable in all releases up to and including 1.11.1. Any application that links against this library and exposes an SSH service is at risk, regardless of the operating system or platform.
Risk and Exploitability
The CVSS score of 9.2 marks the flaw as critical, while the EPSS score of less than 1% indicates that, as of the latest data, exploitation attempts are expected to be rare. The vulnerability is not yet listed in the CISA KEV catalog, but its potential for remote code execution makes it a high‑priority issue for any system that accepts SSH connections using libssh2. An attacker can remotely trigger the flaw by sending a malicious SSH packet that is parsed by the vulnerable function, making timely remediation essential.
OpenCVE Enrichment
Debian DSA
Ubuntu USN