Zero Day MonitorZDM

← Back to list

9.2

CVE-2025-15661EXPLOITEDPATCHED

libssh2 · libssh2

libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c

Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.

Affected Products

Vendor	Product	Versions
libssh2	libssh2	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	libssh2	cert_advisory	90%

References

Related News (6 articles)

Tier C

oss-security3d ago

Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)

→ No new info (linked only)

Tier C

oss-security3d ago

Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)

→ No new info (linked only)

Tier C

oss-security4d ago

Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)

→ No new info (linked only)

Tier C

oss-security4d ago

libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)

→ No new info (linked only)

Tier B

BSI Advisories8d ago

[NEU] [mittel] libssh2: Schwachstelle ermöglicht Denial of Service und Offenlegung von Informationen

→ No new info (linked only)

Tier C

VulDB8d ago

CVE-2025-15661 | libssh2 up to 1.11.1 SSH src/sftp.c sftp_symlink link_len out-of-bounds

→ No new info (linked only)

CVSS 3.19.2 CRITICAL

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

97acf3dfda80c91c3a8c9f2372546301d4a1a7a8

CWECWE-125

PublishedJun 18, 2026

Last enriched3d agov5

Tags

CVE-2025-15661CVE-2026-55200CVE-2026-55199GHSA-R8MH-X5QV-7GG2

Trending Score40

Source articles6

Independent3

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-55200EXP

libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

CRITICALCVE-2026-55199EXP

libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler

MEDIUMCVE-2026-58051

libssh2 - Free of Uninitialized Pointer in publickey List Cleanup

HIGHCVE-2026-58050

libssh2 - Integer Overflow in publickey Subsystem Attribute Allocation

NONECVE-2026-7598EXP

libssh2 userauth.c userauth_password integer overflow

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 18, 2026

Discovered by ZDM

Jun 18, 2026

Updated: severity, tags

Jun 19, 2026

Actively Exploited

Jun 23, 2026

Exploit Available

Jun 23, 2026

Patch Available

Jun 23, 2026

Updated: severity, cvssEstimate, exploitAvailable, activelyExploited, tags

Jun 23, 2026

Updated: severity, cvssEstimate

Jun 23, 2026

Updated: patchAvailable, tags

Jun 24, 2026

Version History

v5

Last enriched 3d ago

v5Tier C3d ago

Updated patch available to a new commit and added a new tag GHSA-R8MH-X5QV-7GG2.

patchAvailabletags

via oss-security

v4Tier C4d ago

Updated severity to CRITICAL and CVSS score to 9.2 for CVE-2026-55200.

severitycvssEstimate

via oss-security

v3Tier C4d ago

Updated severity to HIGH, added CVSS score of 8.3, marked exploit as available and actively exploited, and added new CVE tags.

severitycvssEstimateexploitAvailableactivelyExploitedtags

via oss-security

v2Tier C8d ago

Updated severity to CRITICAL, noted that no exploit is available, and added CVE-2025-15661 as a tag.

severitytags

via VulDB

v19d ago

Initial creation