NIXPKGS-2026-1940

GitHub issue published 2 hours ago

libssh2: security issues CVE-2026-55199 and CVE-2026-55200

Permalink CVE-2026-55199

8.2 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 2 hours ago by @LeSuisse Activity log

Created suggestion 7 hours ago
@LeSuisse ignored
2 packages
- haskellPackages.libssh2
- haskellPackages.libssh2-conduit
2 hours ago
@LeSuisse ignored reference https://w… 2 hours ago
@LeSuisse accepted 2 hours ago
@LeSuisse published on GitHub 2 hours ago

libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.

References

Pull Request issue-tracking
Patch Commit patch

Ignored references (1)

https://www.vulncheck.com/advisories/libssh2-pre-authentication-dos-via-ssh-msg… third-party-advisory

Affected products

libssh2

==17626857d20b3c9a1addfa45979dadcee1cd84a4
=<1.11.1

Matching in nixpkgs

pkgs.libssh2

Client-side C library implementing the SSH2 protocol

nixos-unstable 1.11.1
- nixpkgs-unstable 1.11.1
- nixos-unstable-small 1.11.1
nixos-26.05 1.11.1
- nixos-26.05-small 1.11.1
- nixpkgs-26.05-darwin 1.11.1

Ignored packages (2)

pkgs.haskellPackages.libssh2

FFI bindings to libssh2 SSH2 client library (http://libssh2.org/)

nixos-unstable 0.2.0.9-unstable-2025-04-03
- nixpkgs-unstable 0.2.0.9-unstable-2025-04-03
- nixos-unstable-small 0.2.0.9-unstable-2025-04-03
nixos-26.05 0.2.0.9-unstable-2025-04-03
- nixos-26.05-small 0.2.0.9-unstable-2025-04-03
- nixpkgs-26.05-darwin 0.2.0.9-unstable-2025-04-03

pkgs.haskellPackages.libssh2-conduit

None

nixos-unstable 0.2.1
- nixos-unstable-small 0.2.1
nixos-26.05 0.2.1
- nixos-26.05-small 0.2.1
- nixpkgs-26.05-darwin 0.2.1

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Permalink CVE-2026-55200

9.2 CRITICAL

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 2 hours ago by @LeSuisse Activity log

Created suggestion 7 hours ago
@LeSuisse ignored
2 packages
- haskellPackages.libssh2
- haskellPackages.libssh2-conduit
3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse ignored reference https://w… 2 hours ago
@LeSuisse published on GitHub 2 hours ago

libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.