Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

Pre-authentication CPU exhaustion DoS in libssh2 SSH_MSG_EXT_INFO handler

IdentifiersCVE-2026-55199CWE-835

CVE-2026-55199 is a pre-authentication denial-of-service vulnerability in libssh2 affecting versions through 1.11.1. The flaw is in the SSH_MSG_EXT_INFO handler in src/packet.c during SSH key exchange. A malicious SSH server can send a crafted extension count value, specifically setting nr_extensions to 0xFFFFFFFF, which causes the client to enter an excessive processing loop. The issue is caused by insufficient sanity checking of the advertised extension count and unchecked return values from _libssh2_get_string(). As a result, a libssh2-based client can spin in a tight CPU-bound loop for more than 60 seconds before authentication completes.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a malicious or attacker-controlled SSH server to trigger a pre-authentication denial of service against a libssh2 client. The client can become effectively hung in a tight CPU exhaustion loop for over 60 seconds, consuming processor resources and disrupting SSH, SCP, or SFTP operations that rely on libssh2. The session timeout does not mitigate this condition because the loop is CPU-bound.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing libssh2-based clients from connecting to untrusted, attacker-controlled, or impersonated SSH servers. Enforce strict host key verification, avoid disabling trust checks, and limit outbound SSH/SCP/SFTP connectivity to trusted endpoints through network policy or segmentation. These measures reduce practical exploitability but do not remove the underlying flaw.

Remediation

Patch, then assume compromise.

Upgrade libssh2 to a version containing the upstream fix for commit 17626857d20b3c9a1addfa45979dadcee1cd84a4, or apply that patch if maintaining a custom build. Debian indicates a repaired package build at 1.11.1-1+deb13u1 for stable (trixie), and testing references also indicate fixed downstream packaging. The fix should include proper validation of the extension count and correct handling of _libssh2_get_string() return values in the SSH_MSG_EXT_INFO parsing path.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Libssh2Libssh2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A high-severity pre-authentication denial-of-service vulnerability in libssh2 caused by failure to validate the advertised extension count during SSH key exchange, leading to prolonged CPU consumption and client hangs.

Read more
thecybersecguruNews
Jun 23, 2026
CVE-2026-55200: Critical libssh2 RCE Flaw Affects All Versions | The CyberSec Guru

A high-severity pre-authentication denial-of-service vulnerability in libssh2 caused by failure to sanity-check the advertised SSH extension count during key exchange, leading to prolonged CPU consumption and client hang.

Read more
cvefeed high severityNews
Jun 17, 2026
CVE-2026-55199 - libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

A pre-authentication denial-of-service vulnerability in libssh2's SSH_MSG_EXT_INFO handler that can let a malicious SSH server trigger client CPU exhaustion via a crafted extension count value.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-55199
NVD
nvd.nist.gov/vuln/detail/CVE-2026-55199
MITRE CWE · CWE-835
cwe.mitre.org