A critical security vulnerability has been identified in the widely used libssh2 library, potentially allowing remote attackers to execute arbitrary code through specially crafted SSH packets. This flaw, designated as CVE-2026-55200, carries a CVSS score of 9.2 and is classified under CWE-680, which pertains to integer overflows leading to buffer overflows.
Disclosed on June 17, 2026, the vulnerability affects libssh2 versions 1.11.1 and earlier. The issue resides in the ssh2_transport_read() function, which fails to properly validate the packet_length field in incoming SSH packets. Due to missing upper-bound checks, attackers can supply excessively large values for packet_length, triggering an integer overflow that leads to an out-of-bounds heap write. This memory corruption condition allows attackers to overwrite adjacent memory structures, potentially enabling full remote code execution without authentication.
The attack vector is network-based and requires no user interaction, making the risk of exploitation particularly high. Successful exploitation of CVE-2026-55200 can result in remote code execution on affected systems, allowing attackers to take control of vulnerable applications. The flaw can cause heap memory corruption, leading to crashes, denial-of-service conditions, and potentially full system compromise on systems using libssh2 for secure communications.
Given that libssh2 is widely embedded in SSH clients, automation frameworks, and file transfer tools, the exposure extends across enterprise environments, cloud services, and embedded systems. The issue has been addressed in a patch introduced by commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8, which enforces strict validation of packet_length values to prevent integer and buffer overflows.
Organizations are strongly encouraged to upgrade libssh2 to a patched version as soon as possible. Additionally, security teams should review systems for statically linked or bundled versions of libssh2, monitor SSH traffic for anomalies such as unusually large packet sizes, and implement network-level controls if immediate patching is not feasible.
This vulnerability underscores the critical importance of rigorous input validation in security-sensitive software components. Developers and organizations must prioritize timely updates and patches to mitigate such risks, ensuring the integrity and security of their systems.
