← Signals
- libssh2
- cve-2026-55200
- ssh
- exploitarium
news
libssh2 CVE-2026-55200 Packet Length Integer Wrap
Unchecked SSH packet_length wraps allocation to 19 bytes while logical length stays 0xffffffff — local RCE harness models post-allocation misuse.
Summary
Unchecked SSH packet_length wraps allocation to 19 bytes while logical length stays 0xffffffff — local RCE harness models post-allocation misuse. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | libssh2 ≤ 1.11.1 (fixed 97acf3df) |
| CVE | CVE-2026-55200 |
| Primitive | packet_length=0xffffffff → alloc size 19 via 32-bit wrap |
| Impact | Heap corruption / control hijack in SSH client paths using vulnerable transport read. |
Attack Chain
Malicious SSH server → ssh2_transport_read → undersized alloc → harness callback overwrite
Mitigation
Upgrade libssh2 past 1.11.1; reject oversized packet_length before addition.