UPDATE: Public PoC released for the libssh2 pre-auth heap write (CVE-2026-55200)

UPDATE (originally covered 2026-06-28): A public proof-of-concept scaffold for CVE-2026-55200 (CVSS 9.2) appeared on 2026-06-29, and no official libssh2 release carrying the fix has been tagged yet — the patch commit was merged to mainline on 2026-06-12 but downstream consumers must build from source or pin manually (The Hacker News, 2026-06-29).

The flaw is in ssh2_transport_read() in transport.c, which fails to bound the attacker-controlled packet_length field during the SSH transport handshake; a 0xffffffff value triggers an integer overflow so malloc allocates a tiny buffer while the subsequent write fills the full oversized packet, corrupting the heap before authentication (VulnCheck, 2026-06-17). Because libssh2 is the client linked into git, curl, PHP, and many CI/CD runners, a malicious or compromised SSH server can corrupt memory in connecting clients — the supply-chain/CI-CD direction is the realistic risk. Pin or rebuild libssh2 from the patched commit in pipeline images now, and surface libssh2 versions through SBOM tooling.