The Scariest Bug in the Internet's Biggest Zero-Day Dump Was Already Old News to Us. We Autopsied libssh2's CVE-2026-55200 Before the Exploitarium Made It Famous.
- Patrick Duggan
- 1 hour ago
- 4 min read
Late last month an anonymous researcher operating as "bikini" tried to shock the security world, and largely succeeded. They published the Exploitarium — a single repository of more than 130 unpatched proof-of-concept exploits spanning 22 software projects, dumped all at once with no notification to a single vendor. It rocketed to number five on Hacker News. The premise of a mass drop like this is fear: when a researcher publishes a working exploit without telling the vendor, defenders and attackers learn about the hole at the exact same second, and there is no patch to reach for. One hundred and thirty of those at once is designed to feel like the sky falling.
And the single most dangerous entry in the entire pile — the one bug that actually matters to almost every machine on the internet — was something we had already taken apart, in public, with a full write-up and detection guidance, before the dump ever made it a headline.
The crown jewel
Of the 130-plus, the one that should stop you is [CVE-2026-55200](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-55200), a pre-authentication remote-code-execution flaw in libssh2. If that library name doesn't make you flinch, it should: libssh2 is the SSH engine buried inside an enormous amount of software you never think about. curl uses it. Countless applications, appliances, and automation tools that speak SSH under the hood use it. A pre-auth RCE in libssh2 is not a bug in one product — it is a bug in a component that thousands of products quietly embed and almost nobody patches directly.
We published the autopsy on June 25. The post was titled, plainly, "[CVE-2026-55200](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-55200): A PoC Just Dropped for a Pre-Auth RCE in libssh2. curl Uses It. So Does Almost Everything Else." We walked the mechanism: a heap overflow in ssh2_transport_read(), the function that parses incoming SSH packets on the client side, where the packet_length field is used to size an allocation before it is validated. Send a crafted packet with packet_length set to 0xffffffff and you trigger a 32-bit integer wrap — the library allocates a tiny buffer while still believing it is holding a huge packet, and writes out of bounds. We laid out the attack position and what to watch for. That was the whole post: here is the worst bug you haven't heard of yet, and here is why it reaches further than any single vendor advisory will admit.
Then the Exploitarium landed, made CVE-2026-55200 a headline, and the security internet spent a week discovering the thing we had already documented. Arctic Wolf Labs cited our libssh2 write-up in their own coverage. When a firm of that size reaches back and pulls your post into their analysis, that is the market telling you which end of the timeline you were on.
Why this keeps happening to us specifically
This is not the first time, and it is becoming a genre on this blog for a reason that has nothing to do with luck. We wrote about the Fortinet EMS flaw in February; CISA added it to the Known Exploited Vulnerabilities catalog in April. We documented the Cisco Secure Firewall Management Center deserialization bug while Interlock ransomware was already using it and Cisco still didn't know — thirty-six days of exposure, our post inside the window. We had EtherHiding six weeks before mainstream coverage. Just this week, a national cyber authority in Australia warned the world about a CMS webshell campaign, and we had already autopsied its headline vulnerability sixty-four days earlier.
The reason is structural. Our exploit harvester sweeps GitHub on a six-hour cycle looking for exactly one thing: the moment a working proof-of-concept goes public. That moment almost always precedes the vendor advisory, the CISA deadline, the national-CERT warning, and — as the Exploitarium proved — sometimes even the mass-disclosure event that makes a bug famous. A mass dump of 130 zero-days is not a surprise to a system that already lives in the window where those zero-days are born. Most of them, we had seen the shape of before bikini decided to make them everyone's problem at once.
The honest part, and the point
Held to about ninety-five percent. Credit where it belongs: mass-dropping 130 unpatched exploits without vendor notification is, in our view, reckless — it hands attackers a catalog before defenders have a patch — but the disclosure of the underlying libssh2 flaw and the analysis behind it are not ours, and we are not claiming to have discovered the vulnerability. Arctic Wolf's coverage is theirs; CISA's, Fortinet's, Cisco's, the ACSC's are theirs.
What is ours is the timestamp. The useful moment for a defender is never the day a bug becomes a headline. It is weeks earlier, when the first working exploit hits GitHub and the clock starts — and that is precisely where we already are, every six hours, whether or not anyone has decided the sky is falling yet. When the biggest zero-day dump of the year finally made libssh2 famous, our readers had already patched it. That's the entire job: not to react to the noise, but to have handed you the one thing in it that mattered, before it was loud.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
