{"repro_id":"REPRO-2026-00186","version":21,"title":"libssh2 via curl: malformed SSH packet length crashes SFTP client","repro_type":"security","status":"published","severity":"critical","cvss_score":9.2,"description":"libssh2 through 1.11.1 is affected by CVE-2026-55200 / GHSA-R8MH-X5QV-7GG2, an SSH transport packet-length validation flaw. Pruva reproduced the issue through a real curl SFTP-over-SSH client path: a malicious localhost SSH peer completed authentication and SFTP subsystem setup, then sent an encrypted SSH packet whose decoded packet_length was 0xfffffff0. The vulnerable non-sanitized curl/libssh2 product build crashed with SIGSEGV twice; the same curl build linked against the fixed libssh2 commit failed closed without a native crash twice.","root_cause":"The vulnerable libssh2 transport path failed to reject an attacker-controlled SSH packet length before later packet handling used that malformed size. The reproduction exercised that path through curl, not a parser harness: curl connected over TCP to an AsyncSSH peer, authenticated, opened the SFTP subsystem, and then received an encrypted malformed packet with clear packet_length=0xfffffff0. Both vulnerable product runs reached the target path and exited with signal-derived code 139. The patched libssh2 commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 rejected the same traffic shape and both fixed product runs exited with code 2, with no native crash. Primary evidence is non-sanitized product behavior; ASAN/UBSAN output is not used as the success oracle.","ghsa_id":"GHSA-R8MH-X5QV-7GG2","cve_id":"CVE-2026-55200","cwe_id":"CWE-680","source_url":"https://github.com/advisories/GHSA-R8MH-X5QV-7GG2","package":{"name":"libssh2","ecosystem":"c","affected_versions":"through 1.11.1","fixed_version":"97acf3dfda80c91c3a8c9f2372546301d4a1a7a8","tested_vulnerable":"39cd3a82c7e07a08c1e218b91e69fd92d4f35ca3","tested_patched":"97acf3dfda80c91c3a8c9f2372546301d4a1a7a8"},"reproduced_at":"2026-06-25T09:47:51.516194+00:00","duration_secs":683.0,"tool_calls":115,"handoffs":2,"total_cost_usd":0.30033115,"agent_costs":{"judge":0.015670550000000002,"repro":0.04491515000000001,"support":0.0091823,"vuln_variant":0.23056315},"cost_breakdown":{"judge":{"gpt-5.4-mini":0.015670550000000002},"repro":{"gpt-5.4-mini":0.04491515000000001},"support":{"gpt-5.4-mini":0.0091823},"vuln_variant":{"gpt-5.4-mini":0.23056315}},"quality":{"confidence":"high","idempotent_verified":true,"test_case_count":4,"community_verifications":0},"published_at":"2026-06-25T09:49:21.039911+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":16505,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":4685,"category":"analysis"},{"path":"bundle/repro/curl-vulnerable-run2.reached","filename":"curl-vulnerable-run2.reached","size":5,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run1.hostpubsha256","filename":"curl-vulnerable-run1.hostpubsha256","size":45,"category":"other"},{"path":"bundle/repro/curl-fixed-run2.hostpubsha256","filename":"curl-fixed-run2.hostpubsha256","size":45,"category":"other"},{"path":"bundle/repro/curl-fixed-run2.crash","filename":"curl-fixed-run2.crash","size":6,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run1.ready","filename":"curl-vulnerable-run1.ready","size":6,"category":"other"},{"path":"bundle/repro/malicious_asyncssh_peer.py","filename":"malicious_asyncssh_peer.py","size":4090,"category":"script"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":1260,"category":"other"},{"path":"bundle/repro/curl-fixed-run1.exitcode","filename":"curl-fixed-run1.exitcode","size":2,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run2.exitcode","filename":"curl-vulnerable-run2.exitcode","size":4,"category":"other"},{"path":"bundle/repro/curl-fixed-run1.hostpubsha256","filename":"curl-fixed-run1.hostpubsha256","size":45,"category":"other"},{"path":"bundle/repro/curl-fixed-run2.exitcode","filename":"curl-fixed-run2.exitcode","size":2,"category":"other"},{"path":"bundle/repro/curl-fixed-run2.ready","filename":"curl-fixed-run2.ready","size":6,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run1.exitcode","filename":"curl-vulnerable-run1.exitcode","size":4,"category":"other"},{"path":"bundle/repro/curl-fixed-run1.crash","filename":"curl-fixed-run1.crash","size":6,"category":"other"},{"path":"bundle/repro/curl-fixed-run2.reached","filename":"curl-fixed-run2.reached","size":5,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run2.crash","filename":"curl-vulnerable-run2.crash","size":5,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run2.hostpubsha256","filename":"curl-vulnerable-run2.hostpubsha256","size":45,"category":"other"},{"path":"bundle/repro/curl-fixed-run1.ready","filename":"curl-fixed-run1.ready","size":6,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run2.ready","filename":"curl-vulnerable-run2.ready","size":6,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run1.reached","filename":"curl-vulnerable-run1.reached","size":5,"category":"other"},{"path":"bundle/repro/curl-vulnerable-run1.crash","filename":"curl-vulnerable-run1.crash","size":5,"category":"other"},{"path":"bundle/repro/curl-fixed-run1.reached","filename":"curl-fixed-run1.reached","size":5,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":761,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":4341,"category":"other"},{"path":"bundle/project_cache_context.json","filename":"project_cache_context.json","size":4282,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":3872,"category":"ticket"},{"path":"bundle/logs/reference.latest_attempt.proof_carry_manifest.json","filename":"reference.latest_attempt.proof_carry_manifest.json","size":552,"category":"other"},{"path":"bundle/logs/curl-fixed-ldd.log","filename":"curl-fixed-ldd.log","size":542,"category":"log"},{"path":"bundle/logs/reference.latest_confirmed.proof_carry_manifest.json","filename":"reference.latest_confirmed.proof_carry_manifest.json","size":1977,"category":"other"},{"path":"bundle/logs/curl-vulnerable-run1.summary","filename":"curl-vulnerable-run1.summary","size":598,"category":"other"},{"path":"bundle/logs/curl-vulnerable-run1.server.log","filename":"curl-vulnerable-run1.server.log","size":793,"category":"log"},{"path":"bundle/logs/product-verdict.log","filename":"product-verdict.log","size":163,"category":"log"},{"path":"bundle/logs/curl-vulnerable-run1.client.log","filename":"curl-vulnerable-run1.client.log","size":0,"category":"log"},{"path":"bundle/logs/curl-fixed-readelf.log","filename":"curl-fixed-readelf.log","size":1915,"category":"log"},{"path":"bundle/logs/product/vuln_libdir_resolved.txt","filename":"vuln_libdir_resolved.txt","size":110,"category":"other"},{"path":"bundle/logs/product/fixed_curl_resolved.txt","filename":"fixed_curl_resolved.txt","size":106,"category":"other"},{"path":"bundle/logs/product/vuln_curl_resolved.txt","filename":"vuln_curl_resolved.txt","size":105,"category":"other"},{"path":"bundle/logs/product/fixed_libdir_resolved.txt","filename":"fixed_libdir_resolved.txt","size":111,"category":"other"},{"path":"bundle/logs/product-file-identification.log","filename":"product-file-identification.log","size":620,"category":"log"},{"path":"bundle/logs/curl-fixed-run1.loader.log","filename":"curl-fixed-run1.loader.log","size":12619,"category":"log"},{"path":"bundle/logs/curl-vulnerable-readelf.log","filename":"curl-vulnerable-readelf.log","size":1914,"category":"log"},{"path":"bundle/logs/curl-fixed-run2.client.log","filename":"curl-fixed-run2.client.log","size":0,"category":"log"},{"path":"bundle/logs/curl-fixed-run1.client.log","filename":"curl-fixed-run1.client.log","size":0,"category":"log"},{"path":"bundle/logs/curl-vulnerable-run2.server.log","filename":"curl-vulnerable-run2.server.log","size":793,"category":"log"},{"path":"bundle/logs/curl-fixed-run2.loader.log","filename":"curl-fixed-run2.loader.log","size":12619,"category":"log"},{"path":"bundle/logs/curl-vulnerable-run2.client.log","filename":"curl-vulnerable-run2.client.log","size":0,"category":"log"},{"path":"bundle/logs/curl-fixed-run1.summary","filename":"curl-fixed-run1.summary","size":578,"category":"other"},{"path":"bundle/logs/curl-fixed-version.log","filename":"curl-fixed-version.log","size":357,"category":"log"},{"path":"bundle/logs/curl-fixed-run2.server.log","filename":"curl-fixed-run2.server.log","size":735,"category":"log"},{"path":"bundle/logs/curl-vulnerable-ldd.log","filename":"curl-vulnerable-ldd.log","size":541,"category":"log"},{"path":"bundle/logs/curl-fixed-run1.server.log","filename":"curl-fixed-run1.server.log","size":735,"category":"log"},{"path":"bundle/logs/curl-vulnerable-run1.loader.log","filename":"curl-vulnerable-run1.loader.log","size":10977,"category":"log"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":6448,"category":"log"},{"path":"bundle/logs/curl-fixed-run2.summary","filename":"curl-fixed-run2.summary","size":578,"category":"other"},{"path":"bundle/logs/curl-vulnerable-run2.loader.log","filename":"curl-vulnerable-run2.loader.log","size":10977,"category":"log"},{"path":"bundle/logs/curl-vulnerable-version.log","filename":"curl-vulnerable-version.log","size":357,"category":"log"},{"path":"bundle/logs/curl-vulnerable-run2.summary","filename":"curl-vulnerable-run2.summary","size":598,"category":"other"}]}