Critical Vulnerabilities in libssh2 Enable Remote Code Execution and DoS Attacks

Two critical vulnerabilities have been discovered in libssh2, a widely used SSH library, affecting versions up to 1.11.1. The first vulnerability, CVE-2026-55200, allows remote code execution through crafted SSH packets, with a CVSS score of 9.2. The second vulnerability, CVE-2026-55199, enables denial-of-service attacks by causing client CPU exhaustion. Both vulnerabilities can be exploited without user interaction or authentication, posing a significant risk to systems using libssh2 for remote management. Patches are available in the form of GitHub commits, but a new official release has not yet been issued. The vulnerabilities could impact millions of systems globally, including routers, IoT devices, and servers. As of now, there are no reports of active exploitation.

Key Points: • Two critical vulnerabilities in libssh2 allow remote code execution and denial-of-service attacks. • CVE-2026-55200 has a CVSS score of 9.2, while CVE-2026-55199 scores 8.2. • Patches exist but are not yet officially released, leaving many systems at risk.