How is CVE-2026-55199 exploited?

Network reachability (required): The attacker must operate a reachable SSH server that the vulnerable libssh2 client connects to over the network; the malicious payload is delivered during the key-exchange handshake before any authentication occurs. Authentication (not-required): No credentials are needed; the vulnerability is triggered during the pre-authentication key-exchange phase, so an unauthenticated server can exploit connecting clients. Victim interaction (not-required): No user action beyond initiating an SSH connection is required; the client's normal connection attempt is sufficient to trigger the CPU exhaustion loop. Attack complexity (info): The base exploit is straightforward and condition-free (AC:L), though the CVSS vector notes an attack target precondition (AT:P), meaning the attacker must be in a position where the victim client connects to the attacker-controlled server, such as via DNS spoofing, a rogue known-host entry, or a compromised server the client already trusts.

What is the impact of CVE-2026-55199?

The libssh2 client process is forced into a tight CPU loop for 60 or more seconds, consuming an entire CPU core and stalling any application logic that depends on the SSH session. Any workload, script, or service using libssh2 to connect to remote hosts hangs for the duration of the loop, causing timeouts and cascading failures in dependent pipelines or services. Repeated connections to the malicious server allow an attacker to sustain the CPU exhaustion indefinitely, effectively making the affected host unresponsive to other work.

Back to search

HIGHCVE-2026-55199Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-55199: libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: 17626857d20b3c9a1addfa45979dadcee1cd84a4
Affected Products: 1

HarborGuard Analysis

Synopsis

A pre-authentication denial-of-service vulnerability exists in the SSH_MSG_EXT_INFO handler in libssh2 through version 1.11.1. The flaw is reachable over the network without any credentials, because it triggers during the SSH key-exchange phase before authentication completes; a malicious SSH server sends a crafted extension count value (0xFFFFFFFF) that forces the connecting client into a tight CPU loop lasting over 60 seconds. Successful exploitation exhausts client CPU resources, effectively hanging the connection and any workload depending on it. A patched-image rebuild at the fix commit (1762685) is available on HarborGuard for environments running an affected version of libssh2.

HarborGuard Coverage

Detection

Detection for CVE-2026-55199 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images, within minutes of ingestion from upstream advisory feeds. Any image packaging libssh2 at or below version 1.11.1 is flagged automatically across customer registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at 8.2 HIGH using the CVSS v4.0 vector, and that score is available for per-environment compliance policy weighting so triage is routed to the appropriate team or inbox inside each customer organization. Environments with stricter availability-impact policies will see this issue elevated accordingly during the triage pass.

Available

Patch

A patched-image rebuild pinned to the fix commit (17626857d20b3c9a1addfa45979dadcee1cd84a4) is available on HarborGuard for any environment found running an affected libssh2 version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must operate a reachable SSH server that the vulnerable libssh2 client connects to over the network; the malicious payload is delivered during the key-exchange handshake before any authentication occurs.
AuthenticationNot required
No credentials are needed; the vulnerability is triggered during the pre-authentication key-exchange phase, so an unauthenticated server can exploit connecting clients.
Victim interactionNot required
No user action beyond initiating an SSH connection is required; the client's normal connection attempt is sufficient to trigger the CPU exhaustion loop.
Attack complexityDetail
The base exploit is straightforward and condition-free (AC:L), though the CVSS vector notes an attack target precondition (AT:P), meaning the attacker must be in a position where the victim client connects to the attacker-controlled server, such as via DNS spoofing, a rogue known-host entry, or a compromised server the client already trusts.

Blast Radius

The libssh2 client process is forced into a tight CPU loop for 60 or more seconds, consuming an entire CPU core and stalling any application logic that depends on the SSH session.
Any workload, script, or service using libssh2 to connect to remote hosts hangs for the duration of the loop, causing timeouts and cascading failures in dependent pipelines or services.
Repeated connections to the malicious server allow an attacker to sustain the CPU exhaustion indefinitely, effectively making the affected host unresponsive to other work.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-55199 is active across customer environments, matching any image that packages libssh2 1.11.1 or earlier. A rebuilt image at the fix commit (17626857d20b3c9a1addfa45979dadcee1cd84a4) is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled or compliance policy requires manual sign-off, the rebuilt image and the associated diff are surfaced in the HarborGuard dashboard for engineer review. As a compensating control while a rebuild is being reviewed, consider isolating workloads that initiate outbound SSH connections behind a network policy that restricts which hosts they may connect to, reducing exposure to attacker-controlled servers.

See how HarborGuard automates this

Fix available

17626857d20b3c9a1addfa45979dadcee1cd84a4

Patch commits

Patch Commit

Affected packages

libssh2 / libssh2
≤ 1.11.1
Fixed in 17626857d20b3c9a1addfa45979dadcee1cd84a4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available