Critical libssh2 Flaw CVE-2026-55200 PoC Released, CVSS 9.2

A public proof-of-concept (PoC) exploit is now circulating for CVE-2026-55200, a critical vulnerability in libssh2 that can be triggered by a malicious or compromised SSH server against any connecting client. The flaw requires no credentials or user interaction, and affects all libssh2 releases up to and including version 1.11.1.

The vulnerability carries a CVSS 4.0 score of 9.2, reflecting its potential for remote code execution. As a client-side library, libssh2 is widely embedded in applications and tools that connect to SSH servers, making the scope of impacted systems broad. Active exploitation is considered likely given the public availability of exploit code.

Technically, the bug is a memory corruption issue. A hostile SSH server can send crafted responses during the handshake that corrupt memory on the client, potentially allowing the attacker to execute arbitrary code on the victim's machine. No specific indicators of compromise have been published, but administrators should monitor for unusual outbound SSH connections.

The libssh2 project has not yet released a patched version addressing CVE-2026-55200, leaving users reliant on workarounds. Affected parties should restrict SSH client connections to trusted servers, disable legacy key exchange algorithms, and monitor the project for a security update. No timeline for a fix has been announced.

Attribution for the discovery remains unclear, but the release of a PoC shifts the vulnerability into a higher-risk category. Organizations using libssh2 in automation, CI/CD pipelines, or remote management tools should prioritize mitigation until an official patch is available.