← All articles

Public exploit released for critical libssh2 flaw affecting curl, Git, and more

A public proof-of-concept has been released for a critical flaw in libssh2 (CVE-2026-55200), the client-side SSH library embedded in curl, Git, PHP, backup agents, firmware updaters, and countless appliances. A malicious or compromised SSH server can send a crafted packet that corrupts memory on the connecting client, with no credentials or user interaction needed, potentially leading to code execution. Rated 9.2, the bug affects all versions through 1.11.1. The fix was merged into the source on June 12, but no tagged release exists yet, so distributions are backporting it. The hardest part is that libssh2 is often statically bundled, so package updates miss those copies entirely.

Check
Inventory everything that links libssh2, including statically bundled copies inside curl, Git, PHP, backup tools, and appliances that package managers will not flag, especially anything connecting to untrusted SSH servers.
Affected
Any software using libssh2 through version 1.11.1 that connects to an untrusted or attacker-controlled SSH server (CVE-2026-55200); the malicious server, not the client, triggers the memory corruption without authentication.
Fix
Apply a build that includes the upstream fix, whether a distribution backport or patched source, watch vendor advisories for tagged releases, and restrict outbound SSH to untrusted servers until patched.