
PEACH
Un cadre d’isolation des locataires
CVE-2026-55200 is a critical out-of-bounds write vulnerability in libssh2's ssh2_transport_read() function that fails to enforce upper bounds on the packet_length field during SSH packet processing. It affects libssh2 through version 1.11.1 and was disclosed on June 17, 2026, with a fix merged on June 12, 2026 via commit 97acf3d. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 9.2 (Critical) (Github Advisory, Red Hat Bugzilla).
The root cause is classified as CWE-680 (Integer Overflow to Buffer Overflow). In the vulnerable code path within src/transport.c, the function reads a 32-bit packet_length from the SSH packet and only checks that it is not less than 1, without enforcing an upper bound against LIBSSH2_PACKET_MAXPAYLOAD. An attacker can send a crafted SSH packet with packet_length=0xffffffff; when this value is added to mac_len and auth_len in a 32-bit integer expression before being widened to size_t, integer wraparound occurs — for example, 0xffffffff + 0 + 16 wraps to 15, and 4 + 15 yields an allocation of only 19 bytes. Subsequent processing then uses the original oversized packet_length value to write into this undersized heap buffer, enabling heap corruption. The fix adds a guard if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) return LIBSSH2_ERROR_OUT_OF_BOUNDARY; before the vulnerable addition (libssh2 PR #2052, libssh2 commit, PoC repo).
Successful exploitation allows an unauthenticated remote attacker to corrupt heap memory and achieve remote code execution on any system or application using a vulnerable version of libssh2 (≤1.11.1). Because libssh2 is widely embedded in tools such as curl, git, and numerous SSH client applications, the attack surface is broad and affects confidentiality, integrity, and availability at the highest level. An attacker gaining code execution in the context of the libssh2-consuming process could pivot to further lateral movement, credential theft, or full system compromise (Github Advisory, Red Hat Bugzilla).
libpwn_cve_2026_55200_server.py from the public PoC) on an attacker-controlled host. The server negotiates a standard SSH handshake using curve25519-sha256, RSA host key, and chacha20-poly1305@openssh.com.packet_length field is set to 0xffffffff.ssh2_transport_read(), the expression packet_length + mac_len + auth_len wraps around in 32-bit arithmetic (e.g., 0xffffffff + 0 + 16 = 15), causing only 19 bytes to be allocated on the heap.packet_length value into the undersized 19-byte allocation, corrupting adjacent heap memory./bin/bash, cmd.exe) or network utilities (wget, curl, nc); crashes or segmentation faults in libssh2-linked processes with heap corruption signatures in core dumps.LIBSSH2_ERROR_OUT_OF_BOUNDARY or LIBSSH2_ERROR_DECRYPT in patched versions; crash reports or core dumps from libssh2-consuming applications with heap corruption stack traces involving ssh2_transport_read().The vulnerability is fixed in libssh2 commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 (merged June 12, 2026), which adds an upper-bound check on packet_length against LIBSSH2_PACKET_MAXPAYLOAD before the vulnerable integer addition (libssh2 commit, libssh2 PR #2052). Downstream distributions including Debian, Alpine, openSUSE, and others have begun releasing updated packages. As a workaround where patching is not immediately possible, restrict SSH client connections to trusted, known-good SSH servers and block outbound SSH to untrusted hosts at the network perimeter. Monitor for anomalous SSH connection attempts and application crashes consistent with heap corruption.
Heise Online covered the vulnerability with an article titled "Security vulnerabilities endanger connections via libssh2," noting the broad impact given libssh2's use in curl and other widely deployed tools (Heise). Security researcher Harry Sintonen and others discussed the vulnerability on Mastodon/infosec.exchange, and the Yocto Project security mailing list flagged it for embedded Linux users. The oss-security mailing list saw multiple threads (oss-sec/2026/q2/1010, 1011, 1014, 1017) discussing the vulnerability and PoC release. The Hong Kong Government CERT (GovCERT.HK) issued an alert, and the openSUSE security announce list published a patch advisory. Community discussion on the Manjaro forum included questions about removing SSH entirely, reflecting user concern about the broad attack surface.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."