How a single crafted SSH packet can execute code on your systems before they even log in
Your organization has spent years locking down inbound SSH: strong passwords, multi-factor authentication, firewall rules, login alerts. None of that matters here. This attack hits your systems while they are the client, reaching out to connect to a server. The malicious server sends one packet. Your software never gets to the login prompt. Code runs on your machine before any credentials are exchanged.
The vulnerability is CVE-2026-55200, a critical flaw in libssh2, a C library that handles SSH connections for curl, Git, PHP, backup agents, CI/CD runners, and a long tail of network appliances and firmware. Every version through 1.11.1 is affected. The attack requires no authentication, no user interaction, and no special network position if the attacker controls any server your software connects to. The CVSS score is 9.8 out of 10.
The detail that should concern every security leader: a working proof-of-concept (PoC) exploit was published publicly on June 29, 2026, and as of June 30, no official patched release of libssh2 exists. A patch was merged on June 12, but it has not been packaged into a tagged release. That means every organization waiting for a standard software update is waiting for something that has not shipped. Meanwhile, Federal Signal analyst Ethan Andrews has stated that active exploitation has already been independently observed.
Narrative · 6 min read
The Context
libssh2 is a C library that gives software the ability to speak SSH, the protocol used to securely transfer files and run commands between computers. It is not a product you buy or a service you sign up for. It is a building block that other software uses internally, often invisibly. curl uses libssh2 for SCP and SFTP transfers. Git uses it in certain build configurations. PHP's ssh2_* extension family is built on it. Backup agents, deployment pipelines, firmware updaters, and network appliances all embed it.
Because libssh2 is so foundational, a flaw in it does not affect one product. It affects every product that contains it, which is a population no one has fully mapped.
The Attack, Phase by Phase
Phase 1: The Hidden Dependency
libssh2 is embedded in hundreds of tools, but most organizations have no accurate inventory of where it sits. Package managers track versioned releases of the tools you install, not the internal libraries those tools were compiled with. When a copy of libssh2 is statically linked into a binary, it becomes part of that binary permanently. It does not appear in your OS's list of installed packages. It does not update when you run a system update.
This means the first problem is not patching. It is knowing where you are exposed.
Phase 2: How the Overflow Works
The flaw lives in ssh2_transport_read() inside transport.c. This function reads incoming SSH packets during the first handshake when a client opens a connection. Every SSH packet includes a 4-byte packet_length field telling the client how many bytes follow.
libssh2 checked that this value was not below 1. It never checked whether it was too large. An attacker controlling the server sends packet_length set to 0xffffffff, approximately 4.3 billion. When libssh2 uses that number in 32-bit arithmetic to calculate a buffer size, it wraps around and produces an allocation as small as 19 bytes. The code then writes the full payload into that 19-byte space, overwriting adjacent memory and giving an attacker the ability to execute code.
The entire sequence happens before authentication. The client simply opens a connection, and the malicious server sends one packet.
Phase 3: The PoC Drop and the Disclosure Gap
Researcher Tristan Madani discovered the flaw and reported it responsibly. The patch was merged on June 12, 2026. VulnCheck published the CVE on June 17. NHS England Digital issued a formal cyber alert (CC-4799) the same day, urging affected organizations to update.
But no official tagged release of libssh2 shipped in the 17 days that followed. Organizations waiting for a standard software update had nothing to install.
On June 29, an anonymous researcher published the "exploitarium" repository on GitHub: 130 or more PoCs across 22 software projects, including a libssh2 trigger scaffold and a local code execution harness, all released without notifying any vendor. GitHub removed it, but mirrors spread immediately. Attackers are assumed to have the code.
Phase 4: The Static-Linking Patch Problem
Even after Linux distributions backport the fix, a large fraction of the vulnerable population remains unpatched. Debian has fixed its trixie and sid packages; backports for bullseye and bookworm are still in progress. Ubuntu 26.04 and 25.10 are under evaluation. But distribution patches only reach dynamically linked copies.
Every statically linked binary, every container image built from an old base, every network appliance running an embedded libssh2 build requires a separate vendor patch or source rebuild. Some vendors will respond within days. Others will take months. Some will not respond at all.
What Made This Possible
-
The same bug class returned seven years later. In 2019, libssh2 shipped version 1.8.1 to fix
CVE-2019-3855, a near-identical integer overflow in the samessh2_transport_read()function. The fix did not include a general upper-bound check that would have prevented the 2026 variant. -
Static linking creates an invisible attack surface. A library embedded in a compiled binary exists outside every standard patch mechanism. The GitHub Advisory Database explicitly notes that Dependabot alerts are not supported for this CVE because statically linked copies have no package entry to track.
-
Open-source release processes did not keep pace with the threat timeline. The patch existed for 17 days before the PoC dropped. A tagged release in that window would have given every downstream consumer something concrete to install. A fix that exists only in a commit is not a fix for most of the people who need it.
What Should Have Stopped This
Every defense that would have reduced the blast radius here shares one trait: it does not depend on the vulnerable library being patched before an attacker reaches it.
-
SBOM with library-level granularity. An SBOM that lists only top-level packages misses statically linked dependencies. One that tracks library versions inside compiled binaries would have told security teams exactly which tools contained a vulnerable libssh2 copy on June 17, when the CVE was published.
-
Network controls on outbound SSH connections. If automated systems can only connect to a pre-approved list of SSH endpoints, an attacker cannot redirect them to a malicious server. Allowlisting outbound SSH destinations does not require the library to be patched.
-
Verification of SSH host keys before connecting. libssh2 supports strict host key checking, causing the client to refuse connections to servers whose identity does not match a known fingerprint. This eliminates the network-interposition attack path where an attacker intercepts traffic to a legitimate server.
-
Isolation of pipeline runners. CI/CD runners with broad network access and elevated permissions are high-value targets. Runners in isolated network segments with minimal outbound access reduce the damage an attacker can do after achieving code execution.
The Takeaway
This attack inverts the conventional SSH threat model. Defenders have spent years hardening inbound SSH servers: strong authentication, firewall rules, login monitoring. The exposure here is in the outbound clients — the automated systems that reach out to servers they do not fully control. CI/CD pipelines clone from Git mirrors. Backup agents connect to storage endpoints. Firmware updaters pull from vendor servers. Any of those connections, if redirected to an attacker-controlled server, triggers the vulnerability before the client can do anything about it.
This is the same class of failure as the Axios supply chain attack: a trusted outbound connection becomes the attack vector, and the defender's controls are oriented the wrong way. The Axios attack weaponized build-time trust in a package registry. This attack weaponizes the SSH handshake itself — the protocol layer that was supposed to be the secure foundation underneath everything else.
Pattern to remember: When a library is embedded invisibly in hundreds of tools, a single flaw creates an attack surface no one has fully mapped, and patching it requires finding every copy first.
What changed: The SSH client, not the SSH server, is now the primary attack surface for pre-authentication remote code execution.
Technical Deep Dive · 4 min
The Technical Mechanism
CVE-2026-55200 is a CWE-680 (integer overflow to buffer overflow) vulnerability in ssh2_transport_read() within transport.c of libssh2 through version 1.11.1.
During the SSH Binary Packet Protocol (BPP) handshake, the server transmits packets prefixed with a 4-byte packet_length field. The libssh2 implementation validated that packet_length >= 1 but imposed no upper bound. An attacker-controlled server sends packet_length = 0xffffffff (4,294,967,295). The subsequent heap allocation calculation performs 32-bit unsigned arithmetic:
alloc_size = packet_length + LIBSSH2_PACKET_OVERHEAD;
This addition wraps modulo 2^32, producing an allocation as small as 19 bytes. The packet-processing logic then uses the original 0xffffffff value to bound the subsequent memcpy-equivalent write into that undersized buffer, producing an out-of-bounds write that corrupts adjacent heap metadata and application data.
The attack fires during the transport-layer key exchange (KEX), before SSH_MSG_USERAUTH_REQUEST is ever sent. Any call path reaching libssh2_session_handshake() against an attacker-controlled endpoint is vulnerable. Network interposition (DNS hijacking, BGP manipulation, compromised upstream service) can redirect a client connecting to a legitimate server to a malicious one without the client's knowledge.
The upstream fix (commit 97acf3df, PR #2052, merged June 12, 2026) adds a single guard before the arithmetic:
if (packet_length > LIBSSH2_PACKET_MAXPAYLOAD)
return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
The public PoC in the "exploitarium" repository contains three components:
cve_2026_55200_probe.c: standalone C11 arithmetic verifier demonstrating the integer wraplibpwn_cve_2026_55200_server.py: minimal malicious SSH server scaffold delivering the crafted packetlibpwn_local_rce_harness.c+libpwn_local_rce_exploit.py: controlled local RCE harness modeling heap overwrite into callback-pointer control, producing a proof file
The PoC is not a turnkey remote exploit. Reliable code execution against a live target depends on the allocator implementation, memory mitigations (ASLR, heap hardening), and how the embedding application uses libssh2. For a well-understood CWE-680 class, the gap between a working local trigger and a weaponized remote exploit is historically measured in days to weeks.
CVSS v4.0 score: 9.2 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H). CVSS v3.1 score: 9.8.
The companion vulnerabilities disclosed simultaneously: CVE-2026-55199 (CVSS 8.2, pre-auth CPU exhaustion via bogus extension count) and CVE-2025-15661 (CVSS 8.3, SFTP heap over-read).
CVE and Advisories
CVE-2026-55200: Out-of-bounds write inssh2_transport_read()via uncheckedpacket_length. CNA: VulnCheck. Published June 17, 2026.- GHSA-r8mh-x5qv-7gg2: GitHub Advisory Database record. Published June 17, 2026; last updated June 30, 2026.
- NHS England Digital Cyber Alert CC-4799: Tier 1 government advisory. Published June 17, 2026.
- VulnCheck Advisory: Primary CVE advisory. Published June 17, 2026.
- Upstream patch: commit
97acf3df, PR #2052, merged June 12, 2026.
No official tagged libssh2 release containing the fix exists as of June 30, 2026. Fixed distribution packages: Debian trixie (1.11.1-1+deb13u1), Debian sid (1.11.1-4). Bullseye and bookworm backports in progress. Ubuntu 26.04 and 25.10 under evaluation.
MITRE ATT&CK Mapping
| Technique ID | ATT&CK name | How it appeared |
|---|---|---|
| T1190 | Exploit Public-Facing Application | The vulnerability is triggered via the client's outbound SSH connection to an attacker-controlled server, exploiting the application's use of libssh2 during the handshake. |
| T1195 | Supply Chain Compromise | libssh2 is embedded as a dependency in curl, Git, PHP, and hundreds of other tools; a flaw in the library propagates to all consumers. |
| T1059 | Command and Interpreter Execution | Successful heap overflow exploitation enables arbitrary code execution in the context of the process calling libssh2_session_handshake(). |
| T1557 | Adversary-in-the-Middle | An attacker without a malicious server can interpose on the network path via DNS hijacking or BGP manipulation to deliver the crafted packet to a client connecting to a legitimate server. |
| T1072 | Software Deployment Tools | CI/CD runners and deployment pipelines that use libssh2 for Git clones or SFTP transfers are high-value targets: code execution on a runner can compromise the entire build pipeline. |
Indicators of Compromise
Detection is structurally difficult. The malicious packet is delivered during the SSH handshake, before any session is established, and produces no application-layer log entry. Standard SSH server logs record inbound connections; they do not record what a client received from a server it connected to.
Network Indicators
- Outbound SSH connections (TCP port 22, or non-standard SSH ports) to unexpected or newly registered endpoints from CI/CD runners, backup agents, or automated pipeline processes
- SSH connections to endpoints not present in an allowlist of known SSH destinations
- Anomalous process crashes or restarts in processes that embed libssh2, particularly during SSH handshake phases
Host Indicators
- Process crashes (
SIGSEGV,SIGABRT) in curl, Git,php-fpm, or backup agent processes during outbound SSH operations - Unexpected child processes spawned from CI/CD runner processes
- Heap corruption signals in application logs immediately following an outbound SSH connection attempt
Detection Gap
Because the vulnerability fires pre-authentication, there is no SSH session record, no authentication log, and no application-layer event to correlate. Detection depends on network flow monitoring (anomalous outbound SSH destinations) and process-level crash telemetry. Organizations without outbound SSH allowlisting have limited visibility into whether exploitation has been attempted.
Attribution
No nation-state or APT group attribution exists for CVE-2026-55200. The vulnerability was discovered and responsibly reported by security researcher Tristan Madani (@TristanInSec), credited in upstream patch commit 97acf3df.
The public PoC was released on June 29, 2026, by an anonymous researcher operating under the GitHub handle "bikini" as part of the "exploitarium" repository dump, without prior vendor notification. Bikini claims to have used AI-assisted fuzzing (initially described as GPT-5.5-3-Codex-Spark, later revised to GPT-5.3) to automate vulnerability discovery across 22 software projects, with manual review and hand-typed PoC code. Federal Signal analyst Ethan Andrews assessed CVE-2026-55200 as the most severe finding in the dump and stated active exploitation has been independently observed as of June 29, 2026. CISA's Known Exploited Vulnerabilities catalog does not list CVE-2026-55200 as of June 30, 2026.
Primary Sources
- 01.libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
VulnCheck · June 17, 2026
- 02.CVE-2026-55200 - GitHub Advisory Database (GHSA-r8mh-x5qv-7gg2)
GitHub / National Vulnerability Database · June 17, 2026
- 03.Critical Remote Code Execution Vulnerability in libssh2 - Cyber Alert CC-4799
NHS England Digital · June 17, 2026
- 04.Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
The Hacker News · June 29, 2026
- 05.Anonymous Researcher Drops 0-Day 'Exploitarium' Repo
The Register · June 29, 2026
- 06.Researcher Behind 'Exploitarium' Explains Release of Undisclosed Zero-Day Exploits
Infosecurity Magazine · July 3, 2026
- 07.libssh2 CVE-2026-55200 Shows Why Outbound SSH Is an Attack Surface
Latest Hacking News · June 30, 2026