The open-source SSH library libssh2 is vulnerable. Attackers can exploit two security vulnerabilities to attack systems. In the worst case, malicious code can compromise computers. According to currently available information, the patch status is unclear. At the time of this report, there are no reports of attackers already exploiting the vulnerabilities.
Companies use the library in sensitive areas of the network, for example, to remotely control routers and IoT devices and to manage servers. Consequently, successful attacks could have far-reaching consequences.
Waiting for repaired release
Both vulnerabilities (CVE-2026-55200 "critical", CVE-2026-55199 "high") are documented on GitHub. Attackers can trigger memory errors and execute malicious code via prepared SSH packets. DoS attacks are also conceivable.
According to the developers, all libssh2 versions up to and including 1.11.1 are affected. The problem is that both security patches currently only exist in the form of GitHub commits (7acf3df, 1762685). Obviously, the fixes are already available in the master branch, but a new version is still pending. Spot checks on Linux distributors have yielded the following: According to the Debian Security Tracker, the repaired release 1.11.1-3 is currently being tested. In Kali Linux, this version has likely been included since May of this year.
