External risk intelligence

libssh2 Out-of-Bounds Write Via Unchecked Packet Length in Transport

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-55200

A vulnerability in libssh2 allows remote attackers to execute arbitrary code by sending crafted SSH packets with an invalid packet length, leading to heap memory corruption. This could enable attackers to gain control of affected systems. The exposure of this vulnerability depends on whether the affected software is pr

Remote Code Execution

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

libssh2 is a client-side library embedded in various applications. While the vulnerability allows remote code execution via network-facing SSH packets, the actual surface exposure depends on whether a specific application uses the library to process untrusted network input. It is not a standalone service, so exposure is determined by the implementation of the host software.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a flaw in the libssh2 software that could allow an unauthorized, remote attacker to execute malicious code by sending specially crafted network data. The vulnerability stems from an issue in how the software handles certain network packet lengths, potentially leading to memory corruption. The main concern is confirming if this software is in use and processing untrusted network input.

  • Flaw allows remote code execution via crafted network data.
  • Leadership should remember if libssh2 is used in key systems.
  • Confirm relevance and exposure in your environment.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by sending specially crafted SSH packets over the network to a system that uses the vulnerable libssh2 library. The library's `ssh2_transport_read()` function does not properly check the size of incoming packet data. This oversight allows an attacker to send packets with an excessively large `packet_length` field. By exploiting this, an attacker could overwrite heap memory, potentially leading to the execution of arbitrary code on the targeted system.

  • Network access required.
  • Sending oversized SSH packets.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in libssh2 could allow remote attackers to execute arbitrary code on affected systems. This occurs when a system processes specially crafted SSH packets with oversized length fields, potentially corrupting memory and leading to unauthorized code execution.

  • Heap memory corruption.
  • Network packets with large lengths.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The libssh2 library is commonly embedded within client applications, meaning its exposure is determined by how those applications process network input. Application owners and platform teams are likely responsible for identifying where this library is used, assessing its reachability and criticality within their specific deployments, and coordinating remediation efforts. The first practical step involves locating all instances of the affected technology, confirming network accessibility and business impact, and then planning remediation based on the identified risk.

  • Application owners should own the issue.
  • Verify application processing of network input.
  • Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-55200 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves remote code execution, which is an automatic fail for PCI ASV scans. Exploiting this vulnerability could allow attackers to corrupt heap memory and gain control of affected systems.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is libssh2 and why is it used?

libssh2 is a programming library that allows software developers to add SSH support to their applications. Because it handles encrypted network communication, it is widely embedded in many different types of client-side software, tools, and services to enable secure data transfer or remote system management. It is a fundamental building block for connectivity rather than a standalone program.

What does CWE-680 mean for CVE-2026-55200?

CWE-680 refers to an Integer Overflow to Buffer Overflow weakness. In this specific CVE, the library fails to verify the size of incoming SSH packet length fields. When an excessively large value is processed, the library miscalculates the memory needed, causing an out-of-bounds write. This corrupts the heap memory, potentially allowing an attacker to overwrite data and execute their own code.

How does an attacker trigger this vulnerability?

An attacker must send a specifically crafted SSH packet with a packet_length field that exceeds the intended limits to an application using the affected libssh2 code. It is important to note that sending standard, legitimate SSH traffic will not trigger this issue. The vulnerability specifically requires the processing of malicious, oversized data that the library fails to validate before attempting to write it to memory.

Do I need to worry if my system uses libssh2?

According to Halo Surface Signal, the risk depends heavily on how your specific application uses the library. Because libssh2 is embedded, it is not always exposed; it only matters if your application uses it to process untrusted network input from the internet. You should verify if your software accepts external connections using this library, as internal or non-network-facing implementations may present a lower immediate risk.

What are the first steps to handle CVE-2026-55200?

Start by performing an inventory to locate where libssh2 is embedded within your environment, as it is often a hidden dependency. Once you identify the applications using this library, review their configurations to determine if they process untrusted network traffic. Coordinate with your platform or development teams to verify the specific versions in use and monitor for official updates provided by your software vendors or maintainers.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished