Cybersecurity & Protection

Critical libssh2 Vulnerability Actively Exploited: What You Need to Do Now

Jul 8, 2026 3 min read
All articles

A critical vulnerability in the widely used libssh2 library is already being actively exploited. An exploit that surfaced publicly in late June 2026 allows attackers to execute arbitrary code on affected systems. Projects including curl, PHP, and libgit2 are all in the affected range.

What is the vulnerability?

The flaw, tracked as CVE-2026-55200 (CVSS 9.2), affects libssh2 up to and including version 1.11.1. It is an "out-of-bounds write" bug: because no upper bound is enforced on the packet_length field, attackers can send crafted SSH packets with excessively large values, corrupting heap memory and enabling remote code execution.

The key attack vector requires a victim to connect with their SSH client software to a server controlled by the attacker. That server then sends specially crafted responses and can run arbitrary code on the client. The broad adoption of libssh2 across many projects makes this especially concerning.

Where did the exploit come from?

An anonymous researcher using the alias "bikini" published a GitHub repository called "bikini/exploitarium" in late June, containing 26 proof-of-concepts for previously unreported vulnerabilities. The researcher did not responsibly disclose any of the flaws to vendors beforehand. The repository has since been removed, but the exploits were already circulating and are reportedly being used in real attacks.

Alongside CVE-2026-55200, CVE-2026-58053 (CVSS 9.4) is also being exploited. It affects the Gitea act_runner on the Docker backend and enables a container escape with root privileges.

What should you do now?

An official libssh2 release is not yet available, but many Linux distributions have already shipped packages containing the fix from commit 7acf3df. Until a stable release is out, take these steps:

  • Restrict outgoing SSH connections to trusted, known servers only
  • Verify host keys consistently on every connection
  • Treat unexpectedly large packets and unexplained client crashes as warning signs
  • Update the Gitea act_runner to a version after 0.262.0