CVE-2026-55200

HIGH 8.1

libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

CWE	CWE-680
Vendor	libssh2
Product	libssh2
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for libssh2 libssh2

Be the first to know when new high vulnerabilities affecting libssh2 libssh2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

libssh2 / libssh2

0 ≤ 1.11.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/libssh2/libssh2/pull/2052 github.com: https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 vulncheck.com: https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c

Credits

Tristan Madani (@TristanInSec)