SecurityDeveloper Tools

CVE-2026-55200: libssh2 RCE Hits curl, Git, and PHP Now

30 views0
SSH terminal with CVE-2026-55200 heap overflow vulnerability warning
ByteBotBy
Share

A public proof-of-concept for CVE-2026-55200 is now live, and the window to patch quietly is closing. The vulnerability is a CVSS 9.2 heap overflow in libssh2 that fires during the SSH handshake — before authentication, before a session, before you have any chance to intervene. A malicious server just needs you to connect.

libssh2 is the SSH client library embedded in curl, Git, PHP’s ssh2 extension, backup agents, CI/CD runners, and a long tail of firmware and appliances. If you write code that makes SSH or SFTP connections, there is a reasonable chance libssh2 is doing the heavy lifting underneath — and every version through 1.11.1 is affected.

What’s Actually Broken

The bug lives in ssh2_transport_read() inside transport.c. SSH packets carry a 4-byte packet_length field that declares how many bytes follow. That field is controlled by the server. libssh2 checked for values below 1 but never enforced an upper bound — which means a malicious server can send packet_length = 0xffffffff.

When that happens, integer arithmetic wraps, libssh2 allocates a buffer for the wrong (tiny) size, and then writes the full oversized packet into it. Classic CWE-680: integer overflow to heap overflow. The result is memory corruption steerable toward arbitrary code execution on the connecting client.

The attack fires during key exchange negotiation — the first thing that happens when you open an SSH connection. There is no login prompt. No credentials. No session state to interrupt. If the server is malicious or compromised, connecting is enough.

The Blast Radius Is Your Entire Toolchain

This is not a niche library. libssh2 is embedded in:

  • curl — used for SCP and SFTP transfers; present on virtually every server and developer machine
  • Git — on platforms where Git links libssh2, cloning from a compromised remote becomes an attack vector
  • PHP — via the ssh2_* extension family; any PHP application doing SFTP or SSH automation
  • Backup agents — rsync wrappers, rclone, and proprietary backup tools that use libssh2 for SFTP destinations
  • CI/CD runners — automated pipelines that pull from repositories or push artifacts over SSH
  • IoT and appliances — statically linked; these will not update automatically

The scenario security teams are watching: an attacker compromises a Git mirror or package repository, your CI/CD pipeline clones from it, the malicious server sends a crafted handshake packet, and your runner executes arbitrary code before the build even starts. Supply chain compromise via a protocol-layer flaw — no malicious commit required.

The PoC Is Out. The Clock Is Running.

The proof-of-concept was published via the “exploitarium” archive on June 27 — the same dump ByteIota covered last Saturday for its 130 zero-day entries. The libssh2 PoC contains an SSH trigger scaffold and a controlled local RCE harness. It is not a turnkey remote exploit.

That distinction matters less than it sounds. A working local trigger demonstrates the bug is real and triggerable. For a well-understood vulnerability class like CWE-680, the gap between “local trigger” and “weaponized remote exploit” tends to be measured in days, not months. The PoC drop is the countdown starting, not the all-clear.

How to Check and Fix This Now

The fix is commit 7acf3df in the libssh2 main branch (PR #2052), shipping as libssh2 1.12.0. Debian already has a backport in testing. Ubuntu, RHEL, and Fedora advisories are expected within 48 hours.

Check your installed version:

# Debian/Ubuntu
dpkg -l libssh2-1

# RHEL/Fedora/CentOS
rpm -q libssh2

# macOS (Homebrew)
brew info libssh2

If you are on anything through 1.11.1, you need to update. For distro packages, watch your vendor advisory channel and apply the update as soon as it lands. Tenable’s Nessus plugin 321726 can scan your fleet for unpatched systems.

Statically linked binaries — firmware, appliances, custom-built containers — will not update through your package manager. You need to rebuild them against libssh2 1.12.0 directly, or replace the affected binaries entirely. Most teams will miss this step without a proper inventory check against the GitHub Advisory GHSA-r8mh-x5qv-7gg2.

Interim Mitigation While You Wait

If you cannot patch immediately:

  • Restrict outbound SSH connections to explicitly trusted hosts only (allowlist, not blocklist)
  • Enforce SSH host key verification in all automated workflows — reject unknown keys
  • Audit any CI/CD pipeline that connects to external SSH endpoints
  • For PHP deployments, consider disabling the ssh2 extension until the system libssh2 is updated

This vulnerability was disclosed responsibly by researcher Tristan Madani and is documented by The Hacker News. The NVD entry for CVE-2026-55200 carries the full CVSS breakdown. The patch is available now. The PoC is already public. The only thing left to do is update.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security