CVE-2026-55199
MEDIUMlibssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler
Title source: cnaDescription
libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
References (3)
Core 3
Core References
Patch patch
Patch Commit
https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/libssh2-pre-authentication-dos-via-ssh-msg-ext-info-handler
Scores
CVSS v3
5.9
EPSS
0.0038
EPSS Percentile
29.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-835
Status
published
Products (2)
libssh2/libssh2
< 1.11.1
libssh2/libssh2
17626857d20b3c9a1addfa45979dadcee1cd84a4
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026