libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c | Advisories

Advisories

libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

severity: critical
date: 6/17/2026
Affecting: libssh2 <= 1.11.1, fixed in commit 7acf3df
CVE: CVE-2026-55200
CWE: CWE-680 Integer Overflow to Buffer Overflow
CVSS: 9.2
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Pull Request
Patch Commit
Credit: Tristan Madani (@TristanInSec)
Description: libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo