Critical libssh2 Flaws Expose SSH Clients to RCE, DoS, and Memory Disclosure
Multiple vulnerabilities in libssh2 have exposed SSH clients and products that embed the library to attacks from malicious or impersonated SSH servers. The most severe issue, CVE-2026-55200, is a pre-authentication out-of-bounds heap write in ssh2_transport_read() that affects all versions through 1.11.1 and could allow remote code execution, while CVE-2026-55199 can force clients into a CPU-intensive loop during key exchange and cause denial of service. The library is widely used in curl, backup software, IoT firmware, and network appliances, raising broad supply-chain risk, especially where libssh2 is statically linked or bundled into downstream products.
A separate flaw, CVE-2025-15661, affects sftp_symlink() in src/sftp.c and can be triggered during SFTP READLINK or REALPATH operations when a malicious server or man-in-the-middle sends a crafted SSH_FXP_NAME response with an oversized link_len value. That bug causes a heap buffer over-read that may disclose memory contents or crash applications. Fixes were reported in commits 97acf3d, 1762685, and 2dae302, but at the time of reporting no official libssh2 release containing the newer patches had been published, leaving downstream vendors responsible for shipping their own updates.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Rust 1.96.1 released with fixes for bundled libssh2 CVEs
The Rust team released Rust 1.96.1, a point update that remediates three libssh2 vulnerabilities in the copy compiled into Cargo: CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200. The release represents a downstream product update beyond the previously documented upstream libssh2 fixes and Debian advisory.
Report says CVE-2026-55200 is under active exploitation
A Register report on the removed 'exploitarium' repository said the libssh2 flaw CVE-2026-55200 was already under active exploitation when the exploit code and write-up were published. This marks an escalation from earlier reporting that had not confirmed in-the-wild exploitation.
CVE-2026-58050 disclosed in libssh2 publickey subsystem
A new high-severity libssh2 vulnerability, CVE-2026-58050, was published describing an integer overflow in publickey subsystem attribute allocation affecting libssh2 through version 1.11.1. The flaw can let a malicious SSH server trigger an undersized heap allocation and out-of-bounds writes on 32-bit platforms during attribute parsing in a connecting client.
Public PoC and exploit details released for CVE-2026-58050
A GitHub repository published proof-of-concept exploits targeting the libssh2 publickey subsystem, including a Win32 integer-overflow allocation-wrap path and a Win64 stale-cleanup/arbitrary-free chain, with demonstrations that launch calc.exe. The repository also documented two hardening changes—zero-initializing grown list entries and rejecting overflowing num_attrs allocations—that reportedly blocked the demonstrated exploit paths.
Debian publishes DSA-6365-1 libssh2 security update
Debian issued security advisory DSA-6365-1 for libssh2, indicating a downstream security update for the library. This adds a vendor response and package distribution milestone beyond the previously documented upstream fixes and disclosure.
Disclosure describes two new pre-authentication libssh2 flaws
A disclosure detailed CVE-2026-55200 and CVE-2026-55199 as affecting libssh2 through version 1.11.1, warning that the library's widespread use in tools, firmware, and appliances creates broad supply-chain exposure. At the time of the report, no official release containing the fixes had been published and no confirmed in-the-wild exploitation or public proof-of-concept was reported.
libssh2 master branch receives fixes for CVE-2026-55200 and CVE-2026-55199
Fixes for two pre-authentication libssh2 vulnerabilities were merged into the master branch as commits 97acf3d and 1762685. The flaws are CVE-2026-55200, an out-of-bounds heap write in ssh2_transport_read() that could enable remote code execution, and CVE-2026-55199, a denial-of-service issue caused by insufficient validation during key exchange.
Public PoC and exploit details released for CVE-2026-55200
A GitHub repository published technical exploit details for CVE-2026-55200 in libssh2, describing the packet_length integer wraparound, undersized allocation, and resulting out-of-bounds write path in ssh2_transport_read(). The repository also included PoC components such as an arithmetic verifier, a malicious SSH server scaffold, and a controlled local RCE harness demonstrating callback overwrite and proof-file creation.
libssh2 fixes CVE-2025-15661 in commit 2dae302
A heap buffer over-read in libssh2's sftp_symlink() function, tracked as CVE-2025-15661, was fixed in commit 2dae302. The flaw affects libssh2 through version 1.11.1 and can be triggered by a malicious SSH server or man-in-the-middle during SFTP READLINK or REALPATH operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Announcing Rust 1.96.1 | Rust Blog
blog.rust-lang.org
Open sourcePublic PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
thehackernews.com
Open sourceAnonymous researcher drops 0-day 'exploitarium' repo
theregister.com
Open sourceCVE-2026-55200: Critical libssh2 Flaw Opens Remote Code Execution Path - TheCyberThrone
thecyberthrone.in
Open sourceexploitarium/libssh2-cve-2026-55200-poc at main · bikini/exploitarium · GitHub
github.com
Open sourceoss-sec: Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)
seclists.org
Open sourceCVE-2025-15661 - libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c
cvefeed.io
Open sourcetransport.c: Additional boundary checks for packet length by willco007 · Pull Request #2052 · libssh2/libssh2 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


