CVE-2026-55199

Name of the Vulnerable Software and Affected Versions libssh2 versions prior to 1.11.1

Description A pre-authentication denial of service issue exists in the SSH MSG EXT INFO handler within src/packet.c. A malicious SSH server can trigger a CPU exhaustion loop on the client by sending a crafted extension count value. Specifically, by setting nr extensions to 0xFFFFFFFF during key exchange, the client enters a tight CPU loop for over 60 seconds because return values from the libssh2 get string() function are unchecked and session timeouts do not apply to CPU-bound loops.

Recommendations Update to the version containing commit 1762685.