Two critical vulnerabilities affect libssh2, a widely used SSH library that may be embedded in millions of systems worldwide. Hackers can target exposed vulnerable instances remotely without any privileges or user interaction.

Vulnerable libssh2 versions include 1.11.1 and all earlier releases. Patches are already available, but many official repositories might still contain vulnerable versions.

Libssh2 is used for remote control and management of many systems. I.e., libssh2 is a 3rd-party prerequisite library for curl to support SCP and SFTP protocols. It is present in most official package repositories for major Linux distributions.

The library is also widely used in backup tools, file transfer software, network/IoT devices that are rarely updated, and other applications. The bugs might affect a huge downstream ecosystem.

The first is an out-of-bounds write vulnerability with a critical severity score of 9.2 out of 10, tracked as CVE-2026-55200.

Libssh2 has an internal limit on the size of received packets, but fails to enforce it, allowing attackers to specify larger sizes and write past the end of the buffer, corrupting subsequent memory.

The attack is low-complexity, requires no privileges or authentication, and requires no user interaction. All the attacker needs is to find a system running a vulnerable version of libssh2 and exposing SSH functionality over the network.

“Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution,” the advisory on GitHub reads.

The second bug causes denial-of-service and has a “high” severity score of 8.2 out of 10, tracked as CVE-2026-55199. It targets vulnerable clients connecting to compromised SSH servers.

“A pre-authentication denial of service vulnerability … allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value,” the advisory explains.

During the authentication (initial key exchange), the server can declare an absurdly high number of supported extensions, “causing the client to spin in a tight CPU loop for over 60 seconds.”

The maintainers have already fixed the bugs via 2 GitHub commits: 97acf3d and 1762685, respectively. However, they haven’t yet released a new official libssh2 version. Linux distributions and other projects are scrambling to backport the fixes into their own packages.

---

Unlock more exclusive Cybernews content on YouTube.