Description
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
Published: 2026-06-17
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in the function that reads SSH packets, where the packet_length field is unchecked. When an attacker sends a packet with an excessively large packet_length, the library writes past its buffer, corrupting heap memory. This corruption can be leveraged to execute arbitrary code on the host, breaching confidentiality, integrity, and availability of the affected system.

Affected Systems

The libssh2 library, a widely used SSH client library, is vulnerable in all releases up to and including 1.11.1. Any application that links against this library and exposes an SSH service is at risk, regardless of the operating system or platform.

Risk and Exploitability

The CVSS score of 9.2 marks the flaw as critical, while the EPSS score of less than 1% indicates that, as of the latest data, exploitation attempts are expected to be rare. The vulnerability is not yet listed in the CISA KEV catalog, but its potential for remote code execution makes it a high‑priority issue for any system that accepts SSH connections using libssh2. An attacker can remotely trigger the flaw by sending a malicious SSH packet that is parsed by the vulnerable function, making timely remediation essential.

Generated by OpenCVE AI on June 18, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libssh2 to a version that incorporates the fix from commit 7acf3df or later. This patch restores proper bounds checking on packet_length before copying data into memory.
  • Restrict inbound SSH traffic to trusted networks or hosts using firewall or ACL rules, reducing the attack surface for potential exploitation.
  • Continuously monitor SSH logs for unusual connection attempts or packet sizes that deviate from normal operation, as such anomalies could indicate an attempt to exercise the vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6365-1 libssh2 security update
Ubuntu USN Ubuntu USN USN-8486-1 libssh2 vulnerabilities
History

Tue, 30 Jun 2026 13:30:00 +0000


Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
Title libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
First Time appeared Libssh2
Libssh2 libssh2
Weaknesses CWE-680
CPEs cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*
Vendors & Products Libssh2
Libssh2 libssh2
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T03:55:44.592Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55200

cve-icon Vulnrichment

Updated: 2026-06-17T19:45:05.382Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T19:03:15Z

Links: CVE-2026-55200 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses
  • CWE-680

    Integer Overflow to Buffer Overflow