# GHSA-R8MH-X5QV-7GG2-PRODUCT-NONASAN

## Summary

CVE-2026-55200: product-mode curl/libssh2 SSH peer proof without ASAN

## Description

Follow-up reproduction for CVE-2026-55200 / GHSA-R8MH-X5QV-7GG2 in libssh2. This ticket intentionally raises the bar beyond the previous confirmed ASAN network proof. Target repository: https://github.com/libssh2/libssh2. Product target: a real command-line product path using curl built against libssh2. Fixed libssh2 commit: 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8. Vulnerable libssh2 commit to compare: 39cd3a82c7e07a08c1e218b91e69fd92d4f35ca3. Prior successful Pruva run for guidance only: dbd19b32-b1e4-4ffe-b9f3-34e4091c0724. That run proved a TCP SSH peer path but used ASAN/UBSAN as primary evidence; this ticket must not accept that as success.

Required objective: produce a fresh product-mode end-to-end TCP localhost SSH peer reproduction. The vulnerable target MUST be a non-sanitized release/hardened curl CLI binary linked against a non-sanitized release/hardened vulnerable libssh2 build. The fixed target MUST be the same curl CLI build shape linked against fixed libssh2. The malicious input MUST cross a real TCP/socket SSH peer boundary after a real SSH handshake/key exchange, using the known malformed encrypted packet shape with clear packet_length=0xfffffff0 when applicable. The evidence MUST show the product process reaches the real libssh2 vulnerable transport parser through curl's normal SSH/SFTP/SCP path, not through a direct parser harness or custom client as the primary target.

Primary success criteria: the vulnerable curl+libssh2 product run MUST produce a product-visible failure signal without ASAN/UBSAN/MSAN/TSAN as the primary evidence, such as SIGSEGV, SIGABRT, core dump, glibc malloc/memmove/fortify abort, or another deterministic non-sanitizer process failure attributable to the malformed SSH packet. The fixed curl+libssh2 product run MUST reject or fail closed without the vulnerable process failure signal. The product proof MUST pass twice from a clean invocation of reproduction_steps.sh. The fixed negative proof MUST pass twice as well.

Allowed secondary evidence: ASAN/UBSAN builds may be generated only after the product-mode proof, and only to explain root cause or stack location. Sanitizer output alone MUST NOT satisfy this ticket. A minimal custom libssh2 client, direct ssh2_transport_read() harness, or ASAN-only crash MUST be recorded as supporting/debug evidence and MUST NOT be marked as the final validated proof.

Speed/project-cache requirements: use /bundle/project_cache_context.json when present. Reuse the existing libssh2 project cache, cloned repositories, build dependencies, compiler/toolchain setup, known commits, prior malicious peer strategy, and prior packet shape. Keep cloned repos and heavy build outputs under project_cache_dir or /bundle/artifacts/libssh2. Start from the known successful network proof and convert it to a product curl path; do not spend turns rediscovering the advisory.

Deliverables under /bundle: bundle/repro/reproduction_steps.sh, bundle/repro/verify_fix.sh, bundle/repro/runtime_manifest.json, bundle/repro/validation_verdict.json, bundle/repro/product_proof.md, and logs under bundle/logs. reproduction_steps.sh MUST be idempotent and run the product proof twice. runtime_manifest.json MUST set entrypoint_kind to tcp_peer or product_network_peer, service_started=true for the malicious peer, healthcheck or connection evidence present, target_path_reached=true, sanitizer_used=false for the primary proof, product_target=curl, and include vulnerable/fixed process exit evidence. validation_verdict.json MUST only claim confirmed when validated_surface is a real product network protocol path and sanitizer_used=false for the primary evidence.

## Metadata

- Product: curl+libssh2
- Severity: critical
- Status: open
