OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • libssh2
  • cve-2026-55200
  • ssh
  • exploitarium

news

libssh2 CVE-2026-55200 Packet Length Integer Wrap

Unchecked SSH packet_length wraps allocation to 19 bytes while logical length stays 0xffffffff — local RCE harness models post-allocation misuse.

Summary

Unchecked SSH packet_length wraps allocation to 19 bytes while logical length stays 0xffffffff — local RCE harness models post-allocation misuse. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetlibssh2 ≤ 1.11.1 (fixed 97acf3df)
CVECVE-2026-55200
Primitivepacket_length=0xffffffff → alloc size 19 via 32-bit wrap
ImpactHeap corruption / control hijack in SSH client paths using vulnerable transport read.

Attack Chain

Malicious SSH server → ssh2_transport_read → undersized alloc → harness callback overwrite

Mitigation

Upgrade libssh2 past 1.11.1; reject oversized packet_length before addition.

Related Signals

Sources

→ Source