oss-sec mailing list archives
Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)
From: Sevan Janiyan <venture37 () geeklan co uk>
Date: Wed, 24 Jun 2026 13:14:28 +0100
On 23/06/2026 21:24, James Addison wrote:
The commit IDs of the fixes for each of the vulnerabilities, respectively, as found in the GitHub libssh2/libssh2.git repository, are: - 2dae3024897e1898d389835151f4e9606227721d - 17626857d20b3c9a1addfa45979dadcee1cd84a4 - 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8
Just as a heads up, libssh2 1.11.1 was release October 2024 and the patch for src/sftp.c does not apply cleanly to the release.
[1] -https://digital.nhs.uk/cyber-alerts/2026/cc-4799
This url point to https://github.com/advisories/GHSA-R8MH-X5QV-7GG2 as the "Definitive source of threat updates" which references another commit separate from the hashes above
https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 via https://github.com/libssh2/libssh2/pull/2052 "transport.c: Additional boundary checks for packet length" Sorry, too busy melting to provide a patch against 1.11.1 release. :( Sincerely, Sevan
Current thread:
- libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) James Addison (Jun 23)
- Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) Alan Coopersmith (Jun 23)
- Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) Sevan Janiyan (Jun 24)
- Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) Sevan Janiyan (Jun 24)
