{"id":"CVE-2026-55200","summary":"libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c","details":"libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.","modified":"2026-07-08T08:12:42.024802914Z","published":"2026-06-17T19:03:15.183Z","related":["CGA-m8vx-7w4c-6cjw","SUSE-SU-2026:22284-1","SUSE-SU-2026:22364-1","openSUSE-SU-2026:11109-1","openSUSE-SU-2026:21057-1"],"database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-680"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55200.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55200.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55200"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c"},{"type":"REPORT","url":"https://github.com/libssh2/libssh2/pull/2052"},{"type":"FIX","url":"https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8"},{"type":"PACKAGE","url":"https://github.com/libssh2/libssh2"},{"type":"EVIDENCE","url":"https://web.archive.org/web/20260623211210/https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libssh2/libssh2","events":[{"introduced":"0"},{"fixed":"97acf3dfda80c91c3a8c9f2372546301d4a1a7a8"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"1.11.1"}]}}],"versions":["libssh2-1.11.1","libssh2-1.11.0","libssh2-1.10.0","libssh2-1.9.0","libssh2-1.8.0","libssh2-1.7.0","libssh2-1.6.0","libssh2-1.5.0","libssh2-1.4.3","libssh2-1.4.2","libssh2-1.4.1","libssh2-1.4.0","libssh2-1.3.0","libssh2-1.2.9","libssh2-1.2.8","libssh2-1.2.7","libssh2-1.2.6","libssh2-1.2.5","libssh2-1.2.4","libssh2-1.2.3","libssh2-1.2.1","libssh2-1.2","RELEASE.1.1","RELEASE.1.0","RELEASE.0.18","RELEASE.0.17","RELEASE.0.16","RELEASE.0.15","beforenb2-0.14","beforenb-0.14","RELEASE.0.14","RELEASE.0.13","RELEASE.0.12","RELEASE.0.11","RELEASE.0.10","RELEASE.0.8","RELEASE.0.7","RELEASE.0.6","RELEASE.0.5","RELEASE.0.3","RELEASE.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55200.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}