HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55200Published Modified CNA VulnCheck

CVE-2026-55200: libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
7acf3dfda80c91c3a8c9f2372546301d4a1a7a8
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in libssh2 through version 1.11.1, located in the ssh2_transport_read() function in transport.c. The function fails to enforce an upper bound on the packet_length field, allowing a remote, unauthenticated attacker to send a crafted SSH packet over the network. Successful exploitation corrupts heap memory and enables remote code execution on the affected host. A patched-image rebuild at fix commit 7acf3dfda80c91c3a8c9f2372546301d4a1a7a8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-55200 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle libssh2. Coverage applies regardless of whether libssh2 is installed as a system package or vendored directly into an application layer.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.2 (Critical) and weighting that score against each customer organization's per-environment compliance policy. Triage routing to the appropriate team inbox within each customer org is available automatically based on policy configuration.

Available
Patch

A patched-image rebuild pinned to fix commit 7acf3dfda80c91c3a8c9f2372546301d4a1a7a8 is available on HarborGuard for any environment found running an affected version of libssh2. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite against the new image, and opening a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target's SSH service over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No account or credential is required; the vulnerable code path is exercised during unauthenticated packet parsing.

  • Victim interactionNot required

    No user action is needed; the attacker drives the exploit entirely by sending crafted SSH packets.

  • Attack complexityDetail

    Base exploit conditions are low-complexity, though the CVSS AT:P token indicates that specific target configuration factors (such as heap layout) must align, making fully reliable exploitation dependent on environmental conditions.

Blast Radius

  • Attacker achieves remote code execution on the host running the vulnerable libssh2 instance.
  • Heap memory corruption grants read and write access to process memory, exposing in-memory secrets such as private keys, session credentials, and decrypted SSH payloads.
  • Attacker can modify in-memory state of the affected process, potentially pivoting to persistent access or lateral movement within the container or host network.
  • The affected service process crashes if exploitation is not fully successful, disrupting SSH-dependent workflows and any application relying on libssh2 for connectivity.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patch readiness for CVE-2026-55200 are available across all connected environments. For environments with auto-remediation enabled, HarborGuard is capable of rebuilding affected images at the patched commit (7acf3dfda80c91c3a8c9f2372546301d4a1a7a8), running regression tests against the rebuilt image, and opening a pull request against affected workloads. For Critical-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS 9.2 Critical scoring and routes it to the configured team inbox for manual review. Given the unauthenticated remote code execution impact, prioritizing immediate rebuild or network-policy isolation of workloads exposing libssh2-backed SSH services is strongly advised as an interim compensating control.

See how HarborGuard automates this

Fix available

7acf3dfda80c91c3a8c9f2372546301d4a1a7a8
Patch commits
Affected packages
  • libssh2 / libssh2
    ≤ 1.11.1
    Fixed in 7acf3dfda80c91c3a8c9f2372546301d4a1a7a8
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References