# REPRO-2026-00186: libssh2 via curl: malformed SSH packet length crashes SFTP client ## Summary Status: published Severity: critical Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00186 GHSA: GHSA-R8MH-X5QV-7GG2 CVE: CVE-2026-55200 ## Package Name: libssh2 Ecosystem: c Affected: through 1.11.1 Fixed: 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 ## Root Cause The vulnerable libssh2 transport path failed to reject an attacker-controlled SSH packet length before later packet handling used that malformed size. The reproduction exercised that path through curl, not a parser harness: curl connected over TCP to an AsyncSSH peer, authenticated, opened the SFTP subsystem, and then received an encrypted malformed packet with clear packet_length=0xfffffff0. Both vulnerable product runs reached the target path and exited with signal-derived code 139. The patched libssh2 commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 rejected the same traffic shape and both fixed product runs exited with code 2, with no native crash. Primary evidence is non-sanitized product behavior; ASAN/UBSAN output is not used as the success oracle. ## Reproduction Details Reproduced: 2026-06-25T09:47:51.516Z Duration: 683 seconds Tool calls: 115 Turns: Unknown Handoffs: 2 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00186 pruva-verify GHSA-R8MH-X5QV-7GG2 pruva-verify CVE-2026-55200 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00186&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00186/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - GitHub Advisory: https://github.com/advisories/GHSA-R8MH-X5QV-7GG2 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-55200 - Source: https://github.com/advisories/GHSA-R8MH-X5QV-7GG2 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 16505 bytes) - bundle/repro/rca_report.md (analysis, 4685 bytes) - bundle/repro/curl-vulnerable-run2.reached (other, 5 bytes) - bundle/repro/curl-vulnerable-run1.hostpubsha256 (other, 45 bytes) - bundle/repro/curl-fixed-run2.hostpubsha256 (other, 45 bytes) - bundle/repro/curl-fixed-run2.crash (other, 6 bytes) - bundle/repro/curl-vulnerable-run1.ready (other, 6 bytes) - bundle/repro/malicious_asyncssh_peer.py (script, 4090 bytes) - bundle/repro/runtime_manifest.json (other, 1260 bytes) - bundle/repro/curl-fixed-run1.exitcode (other, 2 bytes) - bundle/repro/curl-vulnerable-run2.exitcode (other, 4 bytes) - bundle/repro/curl-fixed-run1.hostpubsha256 (other, 45 bytes) - bundle/repro/curl-fixed-run2.exitcode (other, 2 bytes) - bundle/repro/curl-fixed-run2.ready (other, 6 bytes) - bundle/repro/curl-vulnerable-run1.exitcode (other, 4 bytes) - bundle/repro/curl-fixed-run1.crash (other, 6 bytes) - bundle/repro/curl-fixed-run2.reached (other, 5 bytes) - bundle/repro/curl-vulnerable-run2.crash (other, 5 bytes) - bundle/repro/curl-vulnerable-run2.hostpubsha256 (other, 45 bytes) - bundle/repro/curl-fixed-run1.ready (other, 6 bytes) - bundle/repro/curl-vulnerable-run2.ready (other, 6 bytes) - bundle/repro/curl-vulnerable-run1.reached (other, 5 bytes) - bundle/repro/curl-vulnerable-run1.crash (other, 5 bytes) - bundle/repro/curl-fixed-run1.reached (other, 5 bytes) - bundle/repro/validation_verdict.json (other, 761 bytes) - bundle/ticket.json (other, 4341 bytes) - bundle/project_cache_context.json (other, 4282 bytes) - bundle/ticket.md (ticket, 3872 bytes) - bundle/logs/reference.latest_attempt.proof_carry_manifest.json (other, 552 bytes) - bundle/logs/curl-fixed-ldd.log (log, 542 bytes) - bundle/logs/reference.latest_confirmed.proof_carry_manifest.json (other, 1977 bytes) - bundle/logs/curl-vulnerable-run1.summary (other, 598 bytes) - bundle/logs/curl-vulnerable-run1.server.log (log, 793 bytes) - bundle/logs/product-verdict.log (log, 163 bytes) - bundle/logs/curl-vulnerable-run1.client.log (log, 0 bytes) - bundle/logs/curl-fixed-readelf.log (log, 1915 bytes) - bundle/logs/product/vuln_libdir_resolved.txt (other, 110 bytes) - bundle/logs/product/fixed_curl_resolved.txt (other, 106 bytes) - bundle/logs/product/vuln_curl_resolved.txt (other, 105 bytes) - bundle/logs/product/fixed_libdir_resolved.txt (other, 111 bytes) - bundle/logs/product-file-identification.log (log, 620 bytes) - bundle/logs/curl-fixed-run1.loader.log (log, 12619 bytes) - bundle/logs/curl-vulnerable-readelf.log (log, 1914 bytes) - bundle/logs/curl-fixed-run2.client.log (log, 0 bytes) - bundle/logs/curl-fixed-run1.client.log (log, 0 bytes) - bundle/logs/curl-vulnerable-run2.server.log (log, 793 bytes) - bundle/logs/curl-fixed-run2.loader.log (log, 12619 bytes) - bundle/logs/curl-vulnerable-run2.client.log (log, 0 bytes) - bundle/logs/curl-fixed-run1.summary (other, 578 bytes) - bundle/logs/curl-fixed-version.log (log, 357 bytes) - bundle/logs/curl-fixed-run2.server.log (log, 735 bytes) - bundle/logs/curl-vulnerable-ldd.log (log, 541 bytes) - bundle/logs/curl-fixed-run1.server.log (log, 735 bytes) - bundle/logs/curl-vulnerable-run1.loader.log (log, 10977 bytes) - bundle/logs/reproduction_steps.log (log, 6448 bytes) - bundle/logs/curl-fixed-run2.summary (other, 578 bytes) - bundle/logs/curl-vulnerable-run2.loader.log (log, 10977 bytes) - bundle/logs/curl-vulnerable-version.log (log, 357 bytes) - bundle/logs/curl-vulnerable-run2.summary (other, 598 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00186 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00186/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00186 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev