Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Libssh2 client-side SSH memory corruption memory corruption flaw (CVE-2026-55200)

Vulnerability
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A public proof-of-concept for CVE-2026-55200 exposes libssh2 clients to memory corruption and possible code execution when they connect to a malicious SSH server. The flaw affects releases through 1.11.1 and is already paired with a published fix path.

Related Happenings

NHS England Digital libssh2 update advisory for CVE-2026-55200

Advisory/Mitigation
H score38 First: 29.06.2026 10:06 Last: 29.06.2026 10:06 Sources 1

How related: NHS England Digital has issued an advisory urging affected organizations to update.

About this happening: **NHS England Digital** has issued an **update advisory** for **libssh2** after a public proof-of-concept surfaced for **CVE-2026-55200**. The flaw can let a **malicious or compro...

Open Happening

Timeline

  1. 29.06.2026 10:06 1 articles · 2h ago

    libssh2 maintainers merge fix for CVE-2026-55200

    Technical Analysis Update

    Maintainers merge pull request #2052 on June 12, adding the missing upper-bound check for packet_length in ssh2_transport_read() so values above LIBSSH2_PACKET_MAXPAYLOAD are rejected before the 32-bit size math can wrap and produce an out-of-bounds heap write.

    Show sources
    Open in new tab
  2. 29.06.2026 10:06 1 articles · 2h ago

    VulnCheck publishes CVE-2026-55200 for libssh2

    Initial Disclosure

    VulnCheck publishes CVE-2026-55200 on June 17 for a critical libssh2 flaw affecting releases through 1.11.1, where a malicious or compromised SSH server can trigger memory corruption on a connecting client and potentially reach code execution with no credentials or user interaction.

    Show sources
    Open in new tab
  3. 29.06.2026 10:06 2 articles · 2h ago

    Public proof-of-concept appears for CVE-2026-55200

    Technical Analysis Update

    A public exploitarium archive adds a locally verified SSH trigger scaffold and a controlled local RCE harness for CVE-2026-55200, while CISA still rates exploitation as none and no in-the-wild use has been reported.

    Show sources
    Open in new tab
  4. 29.06.2026 10:06 1 articles · 2h ago

    NHS England Digital urges organizations to update libssh2 deployments

    Mitigation Patch Update

    NHS England Digital urges affected organizations to update while downstream backports and patched source builds roll out; Debian already has a repaired build in testing, and bundled or static copies in curl, Git, and PHP still need inventorying.

    Show sources
    Open in new tab