Skip to content
Verified libssh2 via curl: malformed SSH packet length crashes SFTP client
REPRO-2026-00186 libssh2 · c Jun 25, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 11m 23s
Tool calls 115
Spend $0.30
Affected through 1.11.1
Fixed in 97acf3dfda80
$ pruva-verify REPRO-2026-00186
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00186/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

libssh2 through 1.11.1 is affected by CVE-2026-55200 / GHSA-R8MH-X5QV-7GG2, an SSH transport packet-length validation flaw. Pruva reproduced the issue through a real curl SFTP-over-SSH client path: a malicious localhost SSH peer completed authentication and SFTP subsystem setup, then sent an encrypted SSH packet whose decoded packet_length was 0xfffffff0. The vulnerable non-sanitized curl/libssh2 product build crashed with SIGSEGV twice; the same curl build linked against the fixed libssh2 commit failed closed without a native crash twice.

03 · Root cause
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/repro/curl-vulnerable-run2.reached0.0 KB
bundle/repro/curl-vulnerable-run1.hostpubsha2560.0 KB
bundle/repro/curl-fixed-run2.hostpubsha2560.0 KB
bundle/repro/curl-fixed-run2.crash0.0 KB
bundle/repro/curl-vulnerable-run1.ready0.0 KB
bundle/repro/malicious_asyncssh_peer.py4.0 KB
bundle/repro/runtime_manifest.json1.2 KB
bundle/repro/curl-fixed-run1.exitcode0.0 KB
bundle/repro/curl-vulnerable-run2.exitcode0.0 KB
bundle/repro/curl-fixed-run1.hostpubsha2560.0 KB
bundle/repro/curl-fixed-run2.exitcode0.0 KB
bundle/repro/curl-fixed-run2.ready0.0 KB
bundle/repro/curl-vulnerable-run1.exitcode0.0 KB
bundle/repro/curl-fixed-run1.crash0.0 KB
bundle/repro/curl-fixed-run2.reached0.0 KB
bundle/repro/curl-vulnerable-run2.crash0.0 KB
bundle/repro/curl-vulnerable-run2.hostpubsha2560.0 KB
bundle/repro/curl-fixed-run1.ready0.0 KB
bundle/repro/curl-vulnerable-run2.ready0.0 KB
bundle/repro/curl-vulnerable-run1.reached0.0 KB
bundle/repro/curl-vulnerable-run1.crash0.0 KB
bundle/repro/curl-fixed-run1.reached0.0 KB
bundle/repro/validation_verdict.json0.7 KB
bundle/ticket.json4.2 KB
bundle/project_cache_context.json4.2 KB
bundle/ticket.md3.8 KB
bundle/logs/reference.latest_attempt.proof_carry_manifest.json0.5 KB
bundle/logs/curl-fixed-ldd.log0.5 KB
bundle/logs/reference.latest_confirmed.proof_carry_manifest.json1.9 KB
bundle/logs/curl-vulnerable-run1.summary0.6 KB
bundle/logs/curl-vulnerable-run1.server.log0.8 KB
bundle/logs/product-verdict.log0.2 KB
bundle/logs/curl-vulnerable-run1.client.log0.0 KB
bundle/logs/curl-fixed-readelf.log1.9 KB
bundle/logs/product/vuln_libdir_resolved.txt0.1 KB
bundle/logs/product/fixed_curl_resolved.txt0.1 KB
bundle/logs/product/vuln_curl_resolved.txt0.1 KB
bundle/logs/product/fixed_libdir_resolved.txt0.1 KB
bundle/logs/product-file-identification.log0.6 KB
bundle/logs/curl-fixed-run1.loader.log12.3 KB
bundle/logs/curl-vulnerable-readelf.log1.9 KB
bundle/logs/curl-fixed-run2.client.log0.0 KB
bundle/logs/curl-fixed-run1.client.log0.0 KB
bundle/logs/curl-vulnerable-run2.server.log0.8 KB
bundle/logs/curl-fixed-run2.loader.log12.3 KB
bundle/logs/curl-vulnerable-run2.client.log0.0 KB
bundle/logs/curl-fixed-run1.summary0.6 KB
bundle/logs/curl-fixed-version.log0.3 KB
bundle/logs/curl-fixed-run2.server.log0.7 KB
bundle/logs/curl-vulnerable-ldd.log0.5 KB
bundle/logs/curl-fixed-run1.server.log0.7 KB
bundle/logs/curl-vulnerable-run1.loader.log10.7 KB
bundle/logs/reproduction_steps.log6.3 KB
bundle/logs/curl-fixed-run2.summary0.6 KB
bundle/logs/curl-vulnerable-run2.loader.log10.7 KB
bundle/logs/curl-vulnerable-version.log0.3 KB
bundle/logs/curl-vulnerable-run2.summary0.6 KB
bundle/repro/reproduction_steps.sh16.1 KB
bundle/repro/rca_report.md4.6 KB