libssh2 infinite-loop pre-auth DoS via crafted SSH_MSG_EXT_INFO (CVSS 8.2)

CVE-2026-55200 is a heap out-of-bounds write (CWE-680 integer-overflow-to-buffer-overflow) in libssh2's ssh2_transport_read(): the packet_length field in an SSH transport packet is not bounds-checked before allocation, so a malicious or compromised SSH server can send a crafted length to corrupt a connecting client's heap — leading to DoS or, where ASLR is absent, potential remote code execution. NCSC-NL updated advisory NCSC-2026-0210 on 2026-06-24 to note that a public PoC has appeared confirming code execution under specific conditions; the GitHub advisory scores it CVSS 9.2 (NCSC-NL, 2026-06-24; GitHub Advisory GHSA-r8mh-x5qv-7gg2, 2026-06-23). The companion flaw CVE-2026-55199 (CVSS 8.2, CWE-835 infinite loop via a crafted SSH_MSG_EXT_INFO extension count → pre-auth CPU exhaustion/DoS) is also unfixed in 1.11.1. libssh2 is embedded in curl, the PHP ssh2 extension, FileZilla, WinSCP, Bitvise and many network appliances, so downstream exposure depends on vendor uptake. Technique class: T1190 (client-side, when tricked into connecting to an attacker-controlled server) for the OOB write; T1499.004 for the DoS. Affected: libssh2 ≤ 1.11.1; fixes are commit 97acf3df (55200) and 1762685 (55199), with no tagged release (1.11.2) yet. Detection/hardening: hunt heap-corruption crashes in processes using libssh2 (PHP-FPM, curl, scp wrappers); inventory embedded libssh2 versions in appliances/tooling; confirm ASLR is enabled (/proc/sys/kernel/randomize_va_space = 2) to raise the bar on the code-execution path; constrain automation hosts to known SSH endpoints.