Pre-authentication Denial of Service in libssh2 via Malicious SSH Server
CVE-2026-55199

8.2HIGH

Key Information:

Vendor: Libssh2
Status: Libssh2
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-55199?

libssh2 versions prior to 1.11.1 are susceptible to a pre-authentication denial of service vulnerability. A malicious SSH server can exploit this by sending crafted extension count values during the key exchange process, specifically manipulating the 'nr_extensions' variable to an excessively high value (0xFFFFFFFF). This results in the client entering a CPU exhaustion loop, where it remains overly occupied for extended periods without responding. The issue stems from unchecked return values from the _libssh2_get_string() function, which leads to undetectable resource consumption during normal operations, posing a significant risk to operational stability.

Affected Version(s)

libssh2 0 <= 1.11.1

libssh2 17626857d20b3c9a1addfa45979dadcee1cd84a4

References

https://github.com/libssh2/libssh2/pull/1864

issue-tracking

https://github.com/libssh2/libssh2/commit/17626857d20b3c9...

patch

https://www.vulncheck.com/advisories/libssh2-pre-authenti...

third-party-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Tristan Madani (@TristanInSec)

CVE-2026-55199 Data

JSON

Libssh2

What is CVE-2026-55199?

Affected Version(s)

References

CVSS V4

Timeline

Credit