Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
open-source-dependency-vulnerabilitywidely-deployed-product-advisoryendpoint-software-vulnerabilityembedded-device-vulnerability

Critical libssh2 Flaws Expose SSH Clients to RCE, DoS, and Memory Disclosure

Updated 1d agoFirst seen Jun 18, 202615 sources

Multiple vulnerabilities in libssh2 have exposed SSH clients and products that embed the library to attacks from malicious or impersonated SSH servers. The most severe issue, CVE-2026-55200, is a pre-authentication out-of-bounds heap write in ssh2_transport_read() that affects all versions through 1.11.1 and could allow remote code execution, while CVE-2026-55199 can force clients into a CPU-intensive loop during key exchange and cause denial of service. The library is widely used in curl, backup software, IoT firmware, and network appliances, raising broad supply-chain risk, especially where libssh2 is statically linked or bundled into downstream products.

A separate flaw, CVE-2025-15661, affects sftp_symlink() in src/sftp.c and can be triggered during SFTP READLINK or REALPATH operations when a malicious server or man-in-the-middle sends a crafted SSH_FXP_NAME response with an oversized link_len value. That bug causes a heap buffer over-read that may disclose memory contents or crash applications. Fixes were reported in commits 97acf3d, 1762685, and 2dae302, but at the time of reporting no official libssh2 release containing the newer patches had been published, leaving downstream vendors responsible for shipping their own updates.

Share:
Critical libssh2 Flaws Expose SSH Clients to RCE, DoS, and Memory Disclosure
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

9 events from the most recent confirmed update back to the earliest known activity.

9 EVENTS
Jun 30, 20263d ago

Rust 1.96.1 released with fixes for bundled libssh2 CVEs

The Rust team released Rust 1.96.1, a point update that remediates three libssh2 vulnerabilities in the copy compiled into Cargo: CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200. The release represents a downstream product update beyond the previously documented upstream libssh2 fixes and Debian advisory.

Announcing Rust 1.96.1 | Rust Blog
Jun 29, 20264d ago

Report says CVE-2026-55200 is under active exploitation

A Register report on the removed 'exploitarium' repository said the libssh2 flaw CVE-2026-55200 was already under active exploitation when the exploit code and write-up were published. This marks an escalation from earlier reporting that had not confirmed in-the-wild exploitation.

Anonymous researcher drops 0-day 'exploitarium' repo
Jun 28, 20265d ago

CVE-2026-58050 disclosed in libssh2 publickey subsystem

A new high-severity libssh2 vulnerability, CVE-2026-58050, was published describing an integer overflow in publickey subsystem attribute allocation affecting libssh2 through version 1.11.1. The flaw can let a malicious SSH server trigger an undersized heap allocation and out-of-bounds writes on 32-bit platforms during attribute parsing in a connecting client.

CVE-2026-58050 - libssh2 - Integer Overflow in publickey Subsystem Attribute Allocation
Jun 26, 20267d ago

Public PoC and exploit details released for CVE-2026-58050

A GitHub repository published proof-of-concept exploits targeting the libssh2 publickey subsystem, including a Win32 integer-overflow allocation-wrap path and a Win64 stale-cleanup/arbitrary-free chain, with demonstrations that launch calc.exe. The repository also documented two hardening changes—zero-initializing grown list entries and rejecting overflowing num_attrs allocations—that reportedly blocked the demonstrated exploit paths.

exploitarium/libssh2-publickey-list-calc-poc at main · bikini/exploitarium · GitHub
Jun 25, 20268d ago

Debian publishes DSA-6365-1 libssh2 security update

Debian issued security advisory DSA-6365-1 for libssh2, indicating a downstream security update for the library. This adds a vendor response and package distribution milestone beyond the previously documented upstream fixes and disclosure.

[SECURITY] [DSA 6365-1] libssh2 security update
Jun 23, 20269d ago

Disclosure describes two new pre-authentication libssh2 flaws

A disclosure detailed CVE-2026-55200 and CVE-2026-55199 as affecting libssh2 through version 1.11.1, warning that the library's widespread use in tools, firmware, and appliances creates broad supply-chain exposure. At the time of the report, no official release containing the fixes had been published and no confirmed in-the-wild exploitation or public proof-of-concept was reported.

CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

libssh2 master branch receives fixes for CVE-2026-55200 and CVE-2026-55199

Fixes for two pre-authentication libssh2 vulnerabilities were merged into the master branch as commits 97acf3d and 1762685. The flaws are CVE-2026-55200, an out-of-bounds heap write in ssh2_transport_read() that could enable remote code execution, and CVE-2026-55199, a denial-of-service issue caused by insufficient validation during key exchange.

CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

Public PoC and exploit details released for CVE-2026-55200

A GitHub repository published technical exploit details for CVE-2026-55200 in libssh2, describing the packet_length integer wraparound, undersized allocation, and resulting out-of-bounds write path in ssh2_transport_read(). The repository also included PoC components such as an arithmetic verifier, a malicious SSH server scaffold, and a controlled local RCE harness demonstrating callback overwrite and proof-file creation.

exploitarium/libssh2-cve-2026-55200-poc at main · bikini/exploitarium · GitHub
Jun 18, 202615d ago

libssh2 fixes CVE-2025-15661 in commit 2dae302

A heap buffer over-read in libssh2's sftp_symlink() function, tracked as CVE-2025-15661, was fixed in commit 2dae302. The flaw affects libssh2 through version 1.11.1 and can be triggered by a malicious SSH server or man-in-the-middle during SFTP READLINK or REALPATH operations.

CVE-2025-15661 - libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

54 LINKEDOpen in app
Affected products
21 linked
Libssh2Libssh2DebianVlcRustdeskGiteaWindowsGithubAnydeskMingw-W64SplunkOpenvpnOpensshC-Ares7-ZipCurlParamikoCurlPhpGitWine
Organizations
24 linked
Libssh2NixosDebianlibssh2 ProjectRustdeskSplunkLinkedinOffensive SecurityQualyscvefeed.ioXMicrosoft CorporationGitHubAnyDesk Software GmbHOracleVulnCheckLedgerGiteaGoogleNHS DigitalOpenCulinary C.I.C.OpenSSH ProjectFederal Signal CorporationCovertLab
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.