Bottom Line: Vulnerabilities CVE-2026-55200 (CVSS 9.2) and CVE-2026-55199 (CVSS 8.2) in libssh2 1.11.1 and older versions require immediate patches, but are not yet available in official releases.
Two critical flaws have been discovered in the SSH library libssh2, affecting millions of systems worldwide: one enables remote code execution, the other causes CPU exhaustion. Both vulnerabilities can be exploited before or without authentication.
Two critical vulnerabilities have been identified in the widely used SSH library libssh2. The more severe is designated CVE-2026-55200 with a CVSS base score of 9.2 and involves a buffer overflow during write operations. The issue is that libssh2 defines an internal limit for the size of received SSH data packets but does not consistently enforce it. Attackers can send manipulated packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. The attack requires neither privileges nor user interaction.
The second vulnerability CVE-2026-55199 (CVSS 8.2) is a denial-of-service flaw that endangers client systems during connection establishment to malicious or compromised SSH servers. It is triggered before authentication: the server declares an implausibly high number of supported extensions during key exchange, driving the client into a computationally intensive loop that fully utilizes the CPU for over 60 seconds.
libssh2 1.11.1 and all older versions are affected. Since libssh2 is a fundamental component for curl and supports the SSH protocols SCP and SFTP, the library is included in the package repositories of nearly all major Linux distributions. It is also used in backup systems, file transfer software, and in rarely updated network and IoT devices.
The flaws have already been fixed in the source code via GitHub through separate commits. However, a new official release of the library is not yet available. Linux distribution maintainers must currently integrate the corrections manually into their packages. CISOs should immediately audit their infrastructure for libssh2 dependencies and prioritize patched versions or manual fixes once these become available through their distribution.
Source: www.it-daily.net · Published 22 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.