NCSC-2026-0210 [1.01] [M/H] Vulnerabilities fixed in libssh2 by libssh
libssh has fixed vulnerabilities in libssh2 up to version 1.11.1. The first vulnerability concerns a pre-authentication denial of service in the SSH_MSG_EXT_INFO handler. A malicious SSH server can send a specially crafted extension_count value, causing the client to enter a CPU exhaustion loop and disrupting the processing of SSH messages. The second vulnerability is in the ssh2_transport_read() function, where improper bounds checking on the packet_length variable leads to an out-of-bounds write. This can be exploited by an attacker to cause a Denial-of-Service with specially crafted SSH packets, or theoretically to execute arbitrary code on the affected system, if no additional measures such as Address Space Layout Randomization (ALSR) are taken. However, this is not a common setting on systems. Both vulnerabilities are present in all implementations using libssh2 version 1.11.1 or lower. Update: Public PoC code has emerged confirming that the vulnerability can lead to arbitrary code execution under specific conditions.
CSIRTS triage
- What
- Vulnerabilities can lead to denial of service and potential arbitrary code execution.
- Who is affected
- Users of libssh2 version 1.11.1 or lower.
- Urgency
- Remediation is urgent due to the critical nature of the vulnerabilities.
- Action
- Upgrade to a version of libssh2 higher than 1.11.1.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch libssh2
Get an email when a new libssh2 advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0210
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-551990.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-552000.73% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 50% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55199 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-55200 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownMultiple vulnerabilities in Microsoft Azure Linux (July 7, 2026)cert-fr-avis
- high[UPDATE] [high] libssh2: Multiple vulnerabilitiescert-bund
- unknownDSA-6365-1 libssh2 - security updatedebian
- mediumCVE-2026-55199: libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handlermsrc
- highCVE-2026-55200: libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.cmsrc
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03