CVE-2026-55199

libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

Assigner: VulnCheck
Reserved: 16.06.2026 Published: 17.06.2026 Updated: 18.06.2026

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	libssh2
Product	libssh2
Versions	Default: unaffected affected from 0 to 1.11.1 (incl.) Version 17626857d20b3c9a1addfa45979dadcee1cd84a4 is unaffected

Vendor

libssh2

Product

libssh2

Versions

Default: unaffected

affected from 0 to 1.11.1 (incl.)
Version 17626857d20b3c9a1addfa45979dadcee1cd84a4 is unaffected

Credits

Tristan Madani (@TristanInSec) finder

References

Problem Types