CVE-2026-55199 libssh2 CVE debrief

Who should care

Developers and administrators using libssh2 for SSH functionality in their applications or infrastructure should prioritize updating to the latest version to prevent potential denial of service attacks.

Technical summary

The vulnerability exists in the SSH_MSG_EXT_INFO handler in src/packet.c of libssh2 through version 1.11.1. A malicious SSH server can cause a client CPU exhaustion loop by sending a crafted extension count value. Specifically, setting nr_extensions to 0xFFFFFFFF during key exchange leads to an unchecked return value from _libssh2_get_string(), causing the client to enter a CPU-bound loop. The session timeout does not apply to such loops, leading to a prolonged denial of service.

Defensive priority

high

Recommended defensive actions

• Update libssh2 to the latest version (post-commit 1762685) to patch the vulnerability.
• Implement network monitoring to detect and block suspicious SSH traffic.
• Enforce strict SSH server authentication and access controls.
• Limit SSH server exposure to trusted networks and IPs.
• Regularly review and update SSH configurations and dependencies.
• Consider implementing rate limiting for SSH connections.

Evidence notes

The CVE and NVD records provide details on the vulnerability, including its CVSS score and references to the fix and disclosure information. The CVE was published on 2026-06-17 and modified on 2026-06-18.

Official resources