Vulnerability-Lookup

RHSA-2026:29950

Vulnerability from csaf_redhat - Published: 2026-06-25 13:02 - Updated: 2026-06-26 19:24

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: libssh2: * libssh2-1.11.1-8.hum1 (aarch64, x86_64) * libssh2-devel-1.11.1-8.hum1 (aarch64, x86_64) * libssh2-docs-1.11.1-8.hum1 (noarch) * libssh2-1.11.1-8.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-55199

A vulnerability in libssh2 allows a malicious SSH server to freeze connected clients during the handshake process. By sending a malformed packet, the server triggers a loop that exhausts the client's CPU, resulting in a denial of service.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-606 - Unchecked Input for Loop Condition

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:libssh2-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:libssh2-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:libssh2-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:libssh2-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-55200

An out-of-bounds write vulnerability exists in the libssh2 client. A remote attacker can exploit this by sending a specially crafted SSH packet with an abnormally large length value. This corrupts the application's memory and can potentially allow the attacker to execute arbitrary code on the affected system.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:libssh2-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:libssh2-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:libssh2-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:libssh2-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

20 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:29950	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-55200	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-55199	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-55199	self
https://bugzilla.redhat.com/show_bug.cgi?id=2490128	external
https://www.cve.org/CVERecord?id=CVE-2026-55199	external
https://nvd.nist.gov/vuln/detail/CVE-2026-55199	external
https://github.com/libssh2/libssh2/commit/1762685…	external
https://github.com/libssh2/libssh2/pull/1864	external
https://www.vulncheck.com/advisories/libssh2-pre-…	external
https://access.redhat.com/security/cve/CVE-2026-55200	self
https://bugzilla.redhat.com/show_bug.cgi?id=2490127	external
https://www.cve.org/CVERecord?id=CVE-2026-55200	external
https://nvd.nist.gov/vuln/detail/CVE-2026-55200	external
https://github.com/libssh2/libssh2/commit/97acf3d…	external
https://github.com/libssh2/libssh2/pull/2052	external
https://www.vulncheck.com/advisories/libssh2-out-…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nlibssh2:\n  * libssh2-1.11.1-8.hum1 (aarch64, x86_64)\n  * libssh2-devel-1.11.1-8.hum1 (aarch64, x86_64)\n  * libssh2-docs-1.11.1-8.hum1 (noarch)\n  * libssh2-1.11.1-8.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:29950",
        "url": "https://access.redhat.com/errata/RHSA-2026:29950"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-55200",
        "url": "https://access.redhat.com/security/cve/CVE-2026-55200"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-55199",
        "url": "https://access.redhat.com/security/cve/CVE-2026-55199"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_29950.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-06-26T19:24:22+00:00",
      "generator": {
        "date": "2026-06-26T19:24:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.2.6"
        }
      },
      "id": "RHSA-2026:29950",
      "initial_release_date": "2026-06-25T13:02:46+00:00",
      "revision_history": [
        {
          "date": "2026-06-25T13:02:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-25T14:41:13+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-26T19:24:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libssh2-main@aarch64",
                "product": {
                  "name": "libssh2-main@aarch64",
                  "product_id": "libssh2-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libssh2@1.11.1-8.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libssh2-main@src",
                "product": {
                  "name": "libssh2-main@src",
                  "product_id": "libssh2-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libssh2@1.11.1-8.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libssh2-main@x86_64",
                "product": {
                  "name": "libssh2-main@x86_64",
                  "product_id": "libssh2-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libssh2@1.11.1-8.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libssh2-main@noarch",
                "product": {
                  "name": "libssh2-main@noarch",
                  "product_id": "libssh2-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libssh2-docs@1.11.1-8.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libssh2-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:libssh2-main@aarch64"
        },
        "product_reference": "libssh2-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libssh2-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:libssh2-main@noarch"
        },
        "product_reference": "libssh2-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libssh2-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:libssh2-main@src"
        },
        "product_reference": "libssh2-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libssh2-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:libssh2-main@x86_64"
        },
        "product_reference": "libssh2-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-55199",
      "cwe": {
        "id": "CWE-606",
        "name": "Unchecked Input for Loop Condition"
      },
      "discovery_date": "2026-06-17T20:01:26.309958+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490128"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability in libssh2 allows a malicious SSH server to freeze connected clients during the handshake process. By sending a malformed packet, the server triggers a loop that exhausts the client\u0027s CPU, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libssh2: libssh2: Denial of Service via crafted SSH_MSG_EXT_INFO message",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "A Moderate-rated denial of service vulnerability in the libssh2 client allows a malicious SSH server to freeze the connecting application. By triggering an infinite CPU loop during the initial connection handshake, the server can render the client unresponsive.  Note: Red Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:libssh2-main@aarch64",
          "Red Hat Hardened Images:libssh2-main@noarch",
          "Red Hat Hardened Images:libssh2-main@src",
          "Red Hat Hardened Images:libssh2-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-55199"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490128",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490128"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-55199",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-55199"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55199",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55199"
        },
        {
          "category": "external",
          "summary": "https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4",
          "url": "https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4"
        },
        {
          "category": "external",
          "summary": "https://github.com/libssh2/libssh2/pull/1864",
          "url": "https://github.com/libssh2/libssh2/pull/1864"
        },
        {
          "category": "external",
          "summary": "https://www.vulncheck.com/advisories/libssh2-pre-authentication-dos-via-ssh-msg-ext-info-handler",
          "url": "https://www.vulncheck.com/advisories/libssh2-pre-authentication-dos-via-ssh-msg-ext-info-handler"
        }
      ],
      "release_date": "2026-06-17T18:44:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T13:02:46+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:libssh2-main@aarch64",
            "Red Hat Hardened Images:libssh2-main@noarch",
            "Red Hat Hardened Images:libssh2-main@src",
            "Red Hat Hardened Images:libssh2-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29950"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, ensure your libssh2 clients only connect to trusted SSH servers. You can enforce this by implementing outbound network access controls (egress filtering) to block applications from initiating connections to unknown or untrusted external hosts.",
          "product_ids": [
            "Red Hat Hardened Images:libssh2-main@aarch64",
            "Red Hat Hardened Images:libssh2-main@noarch",
            "Red Hat Hardened Images:libssh2-main@src",
            "Red Hat Hardened Images:libssh2-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:libssh2-main@aarch64",
            "Red Hat Hardened Images:libssh2-main@noarch",
            "Red Hat Hardened Images:libssh2-main@src",
            "Red Hat Hardened Images:libssh2-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libssh2: libssh2: Denial of Service via crafted SSH_MSG_EXT_INFO message"
    },
    {
      "cve": "CVE-2026-55200",
      "discovery_date": "2026-06-17T20:01:16.724927+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490127"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An out-of-bounds write vulnerability exists in the libssh2 client. A remote attacker can exploit this by sending a specially crafted SSH packet with an abnormally large length value. This corrupts the application\u0027s memory and can potentially allow the attacker to execute arbitrary code on the affected system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libssh2: libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "An Important out-of-bounds write vulnerability was discovered in libssh2. As it only impacts client installations of the library, exploitation would require a victim to initiate an SSH connection to an attacker-controlled server. This means an attacker must first redirect client connections via DNS poisoning, a man-in-the-middle, or compromise of a trusted host. While the vulnerability does not require authentication and requires no special configuration, the client redirection prerequisites significantly limit the practical attack surface compared to a server-side flaw.\n\nThe integer overflow provides uncontrolled access to the heap, which reliably crashes the client process but is unlikely to achieve remote code execution in practice. Weaponizing the overflow for code execution would require a separate information disclosure vulnerability to defeat ASLR, along with a specific heap layout to place exploitable structures adjacent to the undersized allocation. On RHEL, ASLR is enabled by default and glibc\u0027s heap metadata integrity checks further raise the bar, making denial of service the realistic impact for most deployments.\n\nRed Hat Enterprise Linux (RHEL) 8 and newer are not affected by this flaw, as they do not ship the libssh2 package.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:libssh2-main@aarch64",
          "Red Hat Hardened Images:libssh2-main@noarch",
          "Red Hat Hardened Images:libssh2-main@src",
          "Red Hat Hardened Images:libssh2-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-55200"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490127",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490127"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-55200",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-55200"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55200",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55200"
        },
        {
          "category": "external",
          "summary": "https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8",
          "url": "https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8"
        },
        {
          "category": "external",
          "summary": "https://github.com/libssh2/libssh2/pull/2052",
          "url": "https://github.com/libssh2/libssh2/pull/2052"
        },
        {
          "category": "external",
          "summary": "https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c",
          "url": "https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c"
        }
      ],
      "release_date": "2026-06-17T19:03:15.183000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T13:02:46+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:libssh2-main@aarch64",
            "Red Hat Hardened Images:libssh2-main@noarch",
            "Red Hat Hardened Images:libssh2-main@src",
            "Red Hat Hardened Images:libssh2-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29950"
        },
        {
          "category": "workaround",
          "details": "The primary mitigation is strict network access control. Ensure libssh2 clients only connect to trusted SSH servers, and use firewalls to block untrusted incoming connections if libssh2 is deployed as a server-side application.",
          "product_ids": [
            "Red Hat Hardened Images:libssh2-main@aarch64",
            "Red Hat Hardened Images:libssh2-main@noarch",
            "Red Hat Hardened Images:libssh2-main@src",
            "Red Hat Hardened Images:libssh2-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:libssh2-main@aarch64",
            "Red Hat Hardened Images:libssh2-main@noarch",
            "Red Hat Hardened Images:libssh2-main@src",
            "Red Hat Hardened Images:libssh2-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "libssh2: libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c"
    }
  ]
}

CVE-2026-55199 (GCVE-0-2026-55199)

Vulnerability from cvelistv5 – Published: 2026-06-17 18:44 – Updated: 2026-06-18 15:31 X_Open Source

Title

libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

Summary

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

Severity

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

VulnCheck

References

3 references

URL	Tags
https://github.com/libssh2/libssh2/pull/1864	issue-tracking
https://github.com/libssh2/libssh2/commit/1762685…	patch
https://www.vulncheck.com/advisories/libssh2-pre-…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
libssh2	libssh2	Affected: 0 , ≤ 1.11.1 (semver) Unaffected: 17626857d20b3c9a1addfa45979dadcee1cd84a4 (git)

Date Public

2026-04-15 00:00

Credits

Tristan Madani (@TristanInSec)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55199",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T15:31:38.712448Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T15:31:59.479Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libssh2",
          "repo": "https://github.com/libssh2/libssh2",
          "vendor": "libssh2",
          "versions": [
            {
              "lessThanOrEqual": "1.11.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "17626857d20b3c9a1addfa45979dadcee1cd84a4",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "1.11.1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tristan Madani (@TristanInSec)"
        }
      ],
      "datePublic": "2026-04-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T11:45:37.547Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Pull Request",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/libssh2/libssh2/pull/1864"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/libssh2-pre-authentication-dos-via-ssh-msg-ext-info-handler"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "title": "libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-55199",
    "datePublished": "2026-06-17T18:44:18.048Z",
    "dateReserved": "2026-06-16T15:53:37.764Z",
    "dateUpdated": "2026-06-18T15:31:59.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55200 (GCVE-0-2026-55200)

Vulnerability from cvelistv5 – Published: 2026-06-17 19:03 – Updated: 2026-06-25 03:55 X_Open Source

Title

libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

Summary

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.

Severity

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-680 - Integer Overflow to Buffer Overflow

Assigner

VulnCheck

References

4 references

URL	Tags
https://github.com/libssh2/libssh2/pull/2052	issue-tracking
https://github.com/libssh2/libssh2/commit/97acf3d…	patch
https://www.vulncheck.com/advisories/libssh2-out-…	third-party-advisory
https://github.com/bikini/exploitarium/tree/main/…	exploit

Impacted products

1 product

Vendor	Product	Version
libssh2	libssh2	Affected: 0 , ≤ 1.11.1 (semver) Unaffected: 7acf3dfda80c91c3a8c9f2372546301d4a1a7a8 (git)

Date Public

2026-06-12 00:00

Credits

Tristan Madani (@TristanInSec)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55200",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T03:55:24.234Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/bikini/exploitarium/tree/main/libssh2-cve-2026-55200-poc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libssh2",
          "repo": "https://github.com/libssh2/libssh2",
          "vendor": "libssh2",
          "versions": [
            {
              "lessThanOrEqual": "1.11.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7acf3dfda80c91c3a8c9f2372546301d4a1a7a8",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "1.11.1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tristan Madani (@TristanInSec)"
        }
      ],
      "datePublic": "2026-06-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-680",
              "description": "Integer Overflow to Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T11:46:01.897Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Pull Request",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/libssh2/libssh2/pull/2052"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/libssh2-out-of-bounds-write-via-unchecked-packet-length-in-transport-c"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "title": "libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-55200",
    "datePublished": "2026-06-17T19:03:15.183Z",
    "dateReserved": "2026-06-16T15:53:37.764Z",
    "dateUpdated": "2026-06-25T03:55:24.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:29950

CVE-2026-55199 (GCVE-0-2026-55199)

CVE-2026-55200 (GCVE-0-2026-55200)

Tags

Sightings

Nomenclature