CyberBytes Daily

Trending cyberattacks, explained simply.

critical vulnerability

How a single crafted SSH packet can execute code on your systems before they even log in

Your organization has spent years locking down inbound SSH: strong passwords, multi-factor authentication, firewall rules, login alerts. None of that matters here. This attack hits your systems while they are the client, reaching out to connect to a server. The malicious server sends one packet. Your software never gets to the login prompt. Code runs on your machine before any credentials are exchanged.

The vulnerability is CVE-2026-55200, a critical flaw in libssh2, a C library that handles SSH connections for curl, Git, PHP, backup agents, CI/CD runners, and a long tail of network appliances and firmware. Every version through 1.11.1 is affected. The attack requires no authentication, no user interaction, and no special network position if the attacker controls any server your software connects to. The CVSS score is 9.8 out of 10.

The detail that should concern every security leader: a working proof-of-concept (PoC) exploit was published publicly on June 29, 2026, and as of June 30, no official patched release of libssh2 exists. A patch was merged on June 12, but it has not been packaged into a tagged release. That means every organization waiting for a standard software update is waiting for something that has not shipped. Meanwhile, Federal Signal analyst Ethan Andrews has stated that active exploitation has already been independently observed.

Narrative · 6 min read

The Context

libssh2 is a C library that gives software the ability to speak SSH, the protocol used to securely transfer files and run commands between computers. It is not a product you buy or a service you sign up for. It is a building block that other software uses internally, often invisibly. curl uses libssh2 for SCP and SFTP transfers. Git uses it in certain build configurations. PHP's ssh2_* extension family is built on it. Backup agents, deployment pipelines, firmware updaters, and network appliances all embed it.

Because libssh2 is so foundational, a flaw in it does not affect one product. It affects every product that contains it, which is a population no one has fully mapped.

The Attack, Phase by Phase

Phase 1: The Hidden Dependency

libssh2 is embedded in hundreds of tools, but most organizations have no accurate inventory of where it sits. Package managers track versioned releases of the tools you install, not the internal libraries those tools were compiled with. When a copy of libssh2 is statically linked into a binary, it becomes part of that binary permanently. It does not appear in your OS's list of installed packages. It does not update when you run a system update.

This means the first problem is not patching. It is knowing where you are exposed.

WHERE LIBSSH2 HIDES IN A TYPICAL ORGANIZATION📦1libssh2 compiled into toolscurl, Git, PHP, backup agents, runners🔗2Static linking buries the copyNo separate package entry exists🗺️3No SBOM, no inventorySecurity team cannot see exposureA statically linked libssh2 copy does not appear in apt, yum, or any package manager output.

Phase 2: How the Overflow Works

The flaw lives in ssh2_transport_read() inside transport.c. This function reads incoming SSH packets during the first handshake when a client opens a connection. Every SSH packet includes a 4-byte packet_length field telling the client how many bytes follow.

libssh2 checked that this value was not below 1. It never checked whether it was too large. An attacker controlling the server sends packet_length set to 0xffffffff, approximately 4.3 billion. When libssh2 uses that number in 32-bit arithmetic to calculate a buffer size, it wraps around and produces an allocation as small as 19 bytes. The code then writes the full payload into that 19-byte space, overwriting adjacent memory and giving an attacker the ability to execute code.

The entire sequence happens before authentication. The client simply opens a connection, and the malicious server sends one packet.

INSIDE THE VULNERABLE HANDSHAKE🤝1Client opens SSH connectionCalls libssh2_session_handshake()📨2Malicious server sends one packetpacket_length set to 0xffffffff🔢332-bit arithmetic wraps4.3 billion becomes ~19 bytes💥4Full payload written to tiny bufferAdjacent heap memory corruptedVULNERABILITY TRIGGERED BEFORE LOGINRemote code executionAttacker controls overwritten memoryNo credentials, no session state, no user action required. One packet is enough.

Phase 3: The PoC Drop and the Disclosure Gap

Researcher Tristan Madani discovered the flaw and reported it responsibly. The patch was merged on June 12, 2026. VulnCheck published the CVE on June 17. NHS England Digital issued a formal cyber alert (CC-4799) the same day, urging affected organizations to update.

But no official tagged release of libssh2 shipped in the 17 days that followed. Organizations waiting for a standard software update had nothing to install.

On June 29, an anonymous researcher published the "exploitarium" repository on GitHub: 130 or more PoCs across 22 software projects, including a libssh2 trigger scaffold and a local code execution harness, all released without notifying any vendor. GitHub removed it, but mirrors spread immediately. Attackers are assumed to have the code.

THE 17-DAY WINDOW🔧1June 12: Patch mergedCommit 97acf3df, PR #2052📋2June 17: CVE publishedVulnCheck, GHSA, NHS alert CC-4799317 days: No tagged releaseConsumers have nothing to install💣4June 29: PoC published publicly130+ exploits, no vendor notificationThe gap between a merged patch and a packaged release is a window attackers can use.

Phase 4: The Static-Linking Patch Problem

Even after Linux distributions backport the fix, a large fraction of the vulnerable population remains unpatched. Debian has fixed its trixie and sid packages; backports for bullseye and bookworm are still in progress. Ubuntu 26.04 and 25.10 are under evaluation. But distribution patches only reach dynamically linked copies.

Every statically linked binary, every container image built from an old base, every network appliance running an embedded libssh2 build requires a separate vendor patch or source rebuild. Some vendors will respond within days. Others will take months. Some will not respond at all.

WHO GETS PATCHED AND WHO DOES NOT1Distro packages updatedDebian trixie/sid fixed; others pending⚠️2Dynamic links: update possibleRequires distro backport to reach you🔒3Static links: no automatic updateEach binary needs its own rebuild📡4Firmware and appliances: unknown waitVendor must ship update; unclear when🗺️Unmapped exposureNo SBOM means no patch confirmationThe organizations most at risk are those that cannot see their own exposure.

What Made This Possible

  1. The same bug class returned seven years later. In 2019, libssh2 shipped version 1.8.1 to fix CVE-2019-3855, a near-identical integer overflow in the same ssh2_transport_read() function. The fix did not include a general upper-bound check that would have prevented the 2026 variant.

  2. Static linking creates an invisible attack surface. A library embedded in a compiled binary exists outside every standard patch mechanism. The GitHub Advisory Database explicitly notes that Dependabot alerts are not supported for this CVE because statically linked copies have no package entry to track.

  3. Open-source release processes did not keep pace with the threat timeline. The patch existed for 17 days before the PoC dropped. A tagged release in that window would have given every downstream consumer something concrete to install. A fix that exists only in a commit is not a fix for most of the people who need it.

What Should Have Stopped This

Every defense that would have reduced the blast radius here shares one trait: it does not depend on the vulnerable library being patched before an attacker reaches it.

  • SBOM with library-level granularity. An SBOM that lists only top-level packages misses statically linked dependencies. One that tracks library versions inside compiled binaries would have told security teams exactly which tools contained a vulnerable libssh2 copy on June 17, when the CVE was published.

  • Network controls on outbound SSH connections. If automated systems can only connect to a pre-approved list of SSH endpoints, an attacker cannot redirect them to a malicious server. Allowlisting outbound SSH destinations does not require the library to be patched.

  • Verification of SSH host keys before connecting. libssh2 supports strict host key checking, causing the client to refuse connections to servers whose identity does not match a known fingerprint. This eliminates the network-interposition attack path where an attacker intercepts traffic to a legitimate server.

  • Isolation of pipeline runners. CI/CD runners with broad network access and elevated permissions are high-value targets. Runners in isolated network segments with minimal outbound access reduce the damage an attacker can do after achieving code execution.

The Takeaway

This attack inverts the conventional SSH threat model. Defenders have spent years hardening inbound SSH servers: strong authentication, firewall rules, login monitoring. The exposure here is in the outbound clients — the automated systems that reach out to servers they do not fully control. CI/CD pipelines clone from Git mirrors. Backup agents connect to storage endpoints. Firmware updaters pull from vendor servers. Any of those connections, if redirected to an attacker-controlled server, triggers the vulnerability before the client can do anything about it.

This is the same class of failure as the Axios supply chain attack: a trusted outbound connection becomes the attack vector, and the defender's controls are oriented the wrong way. The Axios attack weaponized build-time trust in a package registry. This attack weaponizes the SSH handshake itself — the protocol layer that was supposed to be the secure foundation underneath everything else.

Pattern to remember: When a library is embedded invisibly in hundreds of tools, a single flaw creates an attack surface no one has fully mapped, and patching it requires finding every copy first.

What changed: The SSH client, not the SSH server, is now the primary attack surface for pre-authentication remote code execution.

Technical Deep Dive · 4 min

The Technical Mechanism

CVE-2026-55200 is a CWE-680 (integer overflow to buffer overflow) vulnerability in ssh2_transport_read() within transport.c of libssh2 through version 1.11.1.

During the SSH Binary Packet Protocol (BPP) handshake, the server transmits packets prefixed with a 4-byte packet_length field. The libssh2 implementation validated that packet_length >= 1 but imposed no upper bound. An attacker-controlled server sends packet_length = 0xffffffff (4,294,967,295). The subsequent heap allocation calculation performs 32-bit unsigned arithmetic:

alloc_size = packet_length + LIBSSH2_PACKET_OVERHEAD;

This addition wraps modulo 2^32, producing an allocation as small as 19 bytes. The packet-processing logic then uses the original 0xffffffff value to bound the subsequent memcpy-equivalent write into that undersized buffer, producing an out-of-bounds write that corrupts adjacent heap metadata and application data.

The attack fires during the transport-layer key exchange (KEX), before SSH_MSG_USERAUTH_REQUEST is ever sent. Any call path reaching libssh2_session_handshake() against an attacker-controlled endpoint is vulnerable. Network interposition (DNS hijacking, BGP manipulation, compromised upstream service) can redirect a client connecting to a legitimate server to a malicious one without the client's knowledge.

The upstream fix (commit 97acf3df, PR #2052, merged June 12, 2026) adds a single guard before the arithmetic:

if (packet_length > LIBSSH2_PACKET_MAXPAYLOAD)
    return LIBSSH2_ERROR_OUT_OF_BOUNDARY;

The public PoC in the "exploitarium" repository contains three components:

  • cve_2026_55200_probe.c: standalone C11 arithmetic verifier demonstrating the integer wrap
  • libpwn_cve_2026_55200_server.py: minimal malicious SSH server scaffold delivering the crafted packet
  • libpwn_local_rce_harness.c + libpwn_local_rce_exploit.py: controlled local RCE harness modeling heap overwrite into callback-pointer control, producing a proof file

The PoC is not a turnkey remote exploit. Reliable code execution against a live target depends on the allocator implementation, memory mitigations (ASLR, heap hardening), and how the embedding application uses libssh2. For a well-understood CWE-680 class, the gap between a working local trigger and a weaponized remote exploit is historically measured in days to weeks.

CVSS v4.0 score: 9.2 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H). CVSS v3.1 score: 9.8.

The companion vulnerabilities disclosed simultaneously: CVE-2026-55199 (CVSS 8.2, pre-auth CPU exhaustion via bogus extension count) and CVE-2025-15661 (CVSS 8.3, SFTP heap over-read).

INTEGER OVERFLOW TO HEAP OVERWRITE📡1Server sends crafted packetpacket_length = 0xffffffff🔢2No upper-bound check existsOnly minimum of 1 was validated332-bit addition wrapsResult: ~19 bytes allocated✍️4Full payload written to bufferOut-of-bounds write corrupts heap5Heap metadata overwrittenAttacker gains code execution pathThe fix adds one upper-bound guard before the arithmetic. Without it, one packet is enough.

CVE and Advisories

No official tagged libssh2 release containing the fix exists as of June 30, 2026. Fixed distribution packages: Debian trixie (1.11.1-1+deb13u1), Debian sid (1.11.1-4). Bullseye and bookworm backports in progress. Ubuntu 26.04 and 25.10 under evaluation.

MITRE ATT&CK Mapping

Technique IDATT&CK nameHow it appeared
T1190Exploit Public-Facing ApplicationThe vulnerability is triggered via the client's outbound SSH connection to an attacker-controlled server, exploiting the application's use of libssh2 during the handshake.
T1195Supply Chain Compromiselibssh2 is embedded as a dependency in curl, Git, PHP, and hundreds of other tools; a flaw in the library propagates to all consumers.
T1059Command and Interpreter ExecutionSuccessful heap overflow exploitation enables arbitrary code execution in the context of the process calling libssh2_session_handshake().
T1557Adversary-in-the-MiddleAn attacker without a malicious server can interpose on the network path via DNS hijacking or BGP manipulation to deliver the crafted packet to a client connecting to a legitimate server.
T1072Software Deployment ToolsCI/CD runners and deployment pipelines that use libssh2 for Git clones or SFTP transfers are high-value targets: code execution on a runner can compromise the entire build pipeline.

Indicators of Compromise

Detection is structurally difficult. The malicious packet is delivered during the SSH handshake, before any session is established, and produces no application-layer log entry. Standard SSH server logs record inbound connections; they do not record what a client received from a server it connected to.

Network Indicators

  • Outbound SSH connections (TCP port 22, or non-standard SSH ports) to unexpected or newly registered endpoints from CI/CD runners, backup agents, or automated pipeline processes
  • SSH connections to endpoints not present in an allowlist of known SSH destinations
  • Anomalous process crashes or restarts in processes that embed libssh2, particularly during SSH handshake phases

Host Indicators

  • Process crashes (SIGSEGV, SIGABRT) in curl, Git, php-fpm, or backup agent processes during outbound SSH operations
  • Unexpected child processes spawned from CI/CD runner processes
  • Heap corruption signals in application logs immediately following an outbound SSH connection attempt

Detection Gap

Because the vulnerability fires pre-authentication, there is no SSH session record, no authentication log, and no application-layer event to correlate. Detection depends on network flow monitoring (anomalous outbound SSH destinations) and process-level crash telemetry. Organizations without outbound SSH allowlisting have limited visibility into whether exploitation has been attempted.

Attribution

No nation-state or APT group attribution exists for CVE-2026-55200. The vulnerability was discovered and responsibly reported by security researcher Tristan Madani (@TristanInSec), credited in upstream patch commit 97acf3df.

The public PoC was released on June 29, 2026, by an anonymous researcher operating under the GitHub handle "bikini" as part of the "exploitarium" repository dump, without prior vendor notification. Bikini claims to have used AI-assisted fuzzing (initially described as GPT-5.5-3-Codex-Spark, later revised to GPT-5.3) to automate vulnerability discovery across 22 software projects, with manual review and hand-typed PoC code. Federal Signal analyst Ethan Andrews assessed CVE-2026-55200 as the most severe finding in the dump and stated active exploitation has been independently observed as of June 29, 2026. CISA's Known Exploited Vulnerabilities catalog does not list CVE-2026-55200 as of June 30, 2026.


Primary Sources