CVE Tools
Back to feed
The Hacker News ·EN News source

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

By The Hacker News··3 min read
CVE Tools coverage

A public proof-of-concept has been released for CVE-2026-55200, a critical memory corruption issue in libssh2 (affecting all releases up to and including 1.11.1) that allows a malicious or compromised SSH server to trigger heap overflow during the SSH handshake, potentially leading to code execution without credentials or user interaction. Because libssh2 is commonly embedded in products like curl, Git, PHP, and various embedded/firmware updaters—often as statically linked binaries—many systems may remain vulnerable even if package updates aren’t straightforward. Mitigation depends on applying the upstream fix (commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8) or waiting for downstream patched releases, while restricting outbound SSH access to trusted endpoints until then.