CVE-2026-55200: A PoC Just Dropped for a Pre-Auth RCE in libssh2. curl Uses It. So Does Almost Everything Else.

CVE-2026-55200 is a heap overflow in libssh2 through version 1.11.1. The flaw lives in ssh2_transport_read(), the function that parses incoming SSH packets on the client side. The packet_length field is not validated before being used to calculate an allocation size. A crafted packet with packet_length set to 0xffffffff triggers a 32-bit integer wrap, forces a tiny heap allocation while retaining a large logical packet size, and produces an out-of-bounds write.

The attack position: a malicious or compromised SSH server, or a man-in-the-middle on the network path between client and server, sends the crafted packet during the connection handshake. No authentication required. The client crashes or executes attacker-controlled code before it has authenticated to anything.

The PoC dropped today. CVSS 9.2.

What Runs libssh2

The reason this matters beyond the library itself is the dependency graph.

curl uses libssh2 for SCP and SFTP operations. curl is installed on virtually every Linux system, every macOS system, and is bundled into a significant fraction of Windows tooling. The curl maintainer team acknowledged the libssh2 dependency and the exposure.

PHP's SSH2 extension uses libssh2. Any PHP application that does SFTP file transfers — a common pattern in file upload workflows and backup automation — is potentially affected.

Python's various SSH tooling includes wrappers around libssh2. The ecosystem is fragmented, but libssh2-based Python SSH is common in automation and CI/CD pipelines.

Ruby has net-ssh2 and related gems with libssh2 dependencies.

Git-over-SSH in some configurations routes through libssh2.

Embedded systems and network appliances that implement SSH client functionality have frequently used libssh2 as their SSH client library. These devices may have no patch path.

The blast radius is not "systems running libssh2." It is "systems running any software that uses libssh2 for SSH, SCP, or SFTP operations" — which is most of the modern software stack.

The Attack Vector

The attack requires attacker control or MITM position between the libssh2 client and the SSH server. This sounds restrictive until you consider the scenarios where it is not:

Connecting to any SSH server you do not control — a cloud VM, a vendor's SFTP endpoint, a jump host managed by a third party. If that server is compromised, your SSH client is the attack surface.

DNS hijacking or BGP manipulation that redirects SSH traffic to an attacker-controlled server. The client connects, receives the crafted packet, and is exploited before authentication completes.

Automated pipelines that pull from or push to SFTP endpoints as part of CI/CD, data ingestion, or backup workflows. The pipeline's SSH client is the target.

Man-in-the-middle attacks on networks where TLS certificate validation for SSH is not enforced — which is most internal networks.

The Supply Chain Dimension

libssh2 is a supply chain vulnerability in the same way log4j was a supply chain vulnerability — the library is so widely embedded that the surface area of exposure is not knowable from the outside. An organization that patches curl does not necessarily patch the PHP application running libssh2 via the SSH2 extension, or the embedded network appliance that has not shipped a firmware update since 2023.

The PoC being public means the exploitation window for anything that doesn't patch immediately is now open. Unlike a zero-day where defenders have some time before weaponization, a public PoC compresses that window to hours.

What to Do

Patch libssh2 to the fixed version immediately on any system you can update.

Audit what software in your environment uses libssh2 — this is harder than it sounds because most dependency inventories do not track transitive dependencies at this level. A software composition analysis tool or a ldd audit of SSH-capable binaries will surface it.

For systems you cannot patch (embedded devices, vendor-managed appliances), treat any SSH outbound connection from those systems as an elevated risk. If they are making automated SFTP connections to external endpoints, assess whether those endpoints are under your control.

The Patch the Planet initiative OpenAI launched this week is not abstractly relevant — libssh2 is an open-source project with exactly the kind of maintenance resource gap that Patch the Planet targets. The PoC existing within hours of the fix being available is the failure mode that initiative is designed to address.

Sources: CVE details — CyberSecurityNews — PoC released — Cyber Kendra — technical details

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register