A public proof‑of‑concept exploit has been released for a critical vulnerability in the libssh2 library, tracked as CVE-2026-55200. The flaw, rated CVSS 9.2, resides in the client‑side SSH transport layer and could allow remote code execution. Users of any libssh2 release up to and including version 1.11.1 are affected, according to the advisory published by VulnCheck. The advisory details the out‑of‑bounds write condition and The Hacker News first reported the PoC release.
The vulnerability stems from an unchecked packet length field during the SSH key exchange process, leading to an out‑of‑bounds write in memory. Attackers who can manipulate a malicious SSH server can overwrite adjacent memory and gain execution privileges on the client system. All versions prior to 1.12.0 are vulnerable, with the issue present in the transport.c file of the library. The advisory notes that the flaw can be triggered without authentication, increasing its severity.
Maintainers have issued libssh2 version 1.12.0 which contains the necessary bounds check to prevent the overflow. Administrators are urged to upgrade immediately; if an immediate update is not feasible, they should restrict outbound SSH connections to only trusted servers and monitor for unexpected traffic. The patch is available from the official libssh2 repository and mirrors.
To date, no exploitation of CVE-2026-55200 has been observed in the wild and no threat actor groups have been linked to the flaw. However, the public availability of a working exploit lowers the bar for potential attackers and raises the likelihood of opportunistic scanning. Past libssh2 vulnerabilities have shown rapid adoption by botnets once PoC code appears, prompting a cautious stance.
Defensive teams should first verify which internal tools, devices or scripts depend on libssh2, including automated backup solutions, configuration management agents and custom software. After confirming the dependency, the patched version should be deployed in a test environment to verify compatibility before rolling it out to production. Continuous monitoring of SSH session logs for abnormal packet sizes or repeated connection attempts to unfamiliar endpoints can help catch exploitation attempts early.
In the longer term, organisations may consider diversifying their SSH client implementations to reduce reliance on a single library, while maintaining an inventory of third‑party components for rapid response to future advisories. Subscribing to the libssh2 mailing list or following the VulnCheck feed ensures that notice of patches arrives promptly. Prompt patching combined with vigilant network observability remains the most effective mitigation against this high‑severity flaw.