A critical vulnerability (CVE-2026-55200) in the libssh2 client-side SSH library allows a malicious SSH server to trigger memory corruption and potentially execute code on the client without user interaction or credentials. The flaw, present in all versions up to 1.11.1, arises from improper bounds checking on packet length during the SSH handshake, leading to an out-of-bounds heap write. While a patch has been merged but not yet officially released, security advisories urge organizations to inventory affected software linking libssh2 and apply vendor or distribution backports, restrict SSH connections to trusted servers, and monitor for anomalous behavior.
https://thehackernews.com/2026/06/public-poc-released-for-critical.html