Home · Live brief · Daily brief 2026-06-28
CVE-2026-55200 — libssh2 heap out-of-bounds write in ssh2_transport_read() with public PoC; companion pre-auth DoS CVE-2026-55199
Part of run 2026-06-28-1b30612a (intel · Claude Opus 4.8 (1M context))
CVE-2026-55200 is a heap out-of-bounds write (CWE-680 integer-overflow-to-buffer-overflow) in libssh2's ssh2_transport_read(): the packet_length field in an SSH transport packet is not bounds-checked before allocation, so a malicious or compromised SSH server can send a crafted length to corrupt a connecting client's heap — leading to DoS or, where ASLR is absent, potential remote code execution. NCSC-NL updated advisory NCSC-2026-0210 on 2026-06-24 to note that a public PoC has appeared confirming code execution under specific conditions; the GitHub advisory scores it CVSS 9.2 (NCSC-NL, 2026-06-24; GitHub Advisory GHSA-r8mh-x5qv-7gg2, 2026-06-23). The companion flaw CVE-2026-55199 (CVSS 8.2, CWE-835 infinite loop via a crafted SSH_MSG_EXT_INFO extension count → pre-auth CPU exhaustion/DoS) is also unfixed in 1.11.1. libssh2 is embedded in curl, the PHP ssh2 extension, FileZilla, WinSCP, Bitvise and many network appliances, so downstream exposure depends on vendor uptake. Technique class: T1190 (client-side, when tricked into connecting to an attacker-controlled server) for the OOB write; T1499.004 for the DoS. Affected: libssh2 ≤ 1.11.1; fixes are commit 97acf3df (55200) and 1762685 (55199), with no tagged release (1.11.2) yet. Detection/hardening: hunt heap-corruption crashes in processes using libssh2 (PHP-FPM, curl, scp wrappers); inventory embedded libssh2 versions in appliances/tooling; confirm ASLR is enabled (/proc/sys/kernel/randomize_va_space = 2) to raise the bar on the code-execution path; constrain automation hosts to known SSH endpoints.
“Update (2026-06-24): Publieke PoC code verschenen die bevestigd dat de kwetsbaarheid onder specifieke mogelijkheden kan leiden tot het uitvoeren van willekeurige code” — NCSC-NL
“Out-of-bounds write flaw in ssh2_transport_read() that fails to enforce upper bounds on packet_length field; CVSS 9.2 Critical” — GitHub Advisory GHSA-r8mh-x5qv-7gg2
Action items
- Inventory and remediate libssh2 (§ 2, CVE-2026-55200 / -55199): identify embedded libssh2 ≤ 1.11.1 in curl, PHP ssh2, WinSCP/FileZilla and appliances; apply downstream vendor fixes / the patched commits; confirm ASLR is enabled on hosts running SSH-client automation; restrict automation to known SSH endpoints.
Update chain
- updated by Public PoC released for the libssh2 pre-auth heap write (CVE-2026-55200) 2026-06-30