A high-severity heap buffer overread vulnerability in the widely-used libssh2 library (CVE-2025-15661) was publicly disclosed this week, putting countless Windows applications that rely on SSH file transfers at risk. The flaw, present in libssh2 versions up to and including 1.11.1, allows a malicious SSH server or a man-in-the-middle attacker to read sections of a client’s heap memory—potentially exposing sensitive data or crashing the application.

The CVE, first published on June 12, 2026, carries a CVSS 3.1 base score of 7.5 according to the National Vulnerability Database, though the exact impact varies depending on how each application uses the library. For Windows users, the list of affected software is extensive and often invisible: libssh2 is embedded in Git for Windows, the Windows port of curl, numerous backup and automation tools, and custom DevOps scripts. The flaw sits in the SFTP subsystem, meaning any program that connects to an SSH server for file operations could be exploited if it links a vulnerable version.

What Actually Changed

Libssh2 is an open-source C library that implements the SSH2 protocol. It handles the cryptographic handshake, authentication, and channel management for tools that need secure shell connectivity. The SFTP module within libssh2 lets clients transfer files over an SSH tunnel. CVE-2025-15661 is rooted in how that SFTP module parses certain response packets from the server. When a client requests a directory listing or file transfer, a malicious server can send a specially crafted packet with an invalid length field. The library then reads beyond the allocated buffer, accessing memory it shouldn’t.

A heap overread doesn’t allow remote code execution on its own, but it can leak memory contents. In applications that handle credentials, tokens, or private keys in memory, an attacker could extract those secrets. Crash-based denial-of-service is another likely outcome. Because the flaw is triggered during normal SFTP operations—not just connection setup—an attacker who compromises a server you routinely connect to, or who can intercept your traffic, can exploit the bug without your interaction beyond connecting.

The libssh2 maintainers have released version 1.11.2 to fix the issue. The advisory linked in the CVE details confirms the patch corrects the boundary check that permitted the overread. All prior versions are affected, including those shipped in long-term-support Linux distributions and third-party Windows packages.

What It Means for You

For Everyday Windows Users

If you use Git for Windows, you’re very likely running a vulnerable libssh2 build. Git’s installer silently includes the library, and every git clone or git push over SSH leverages it. The same goes for Windows Subsystem for Linux (WSL) if you’ve installed command-line tools that rely on libssh2 for SSH operations. The risk is real: if you regularly clone repositories from unknown servers or connect to a compromised Git remote, an attacker could exploit this flaw.

Many graphical SFTP clients for Windows, such as WinSCP, do not use libssh2 (they rely on PuTTY’s implementation), but FileZilla, Cyberduck, and other cross-platform tools often do. Similarly, popular terminal emulators like MobaXterm embed the library. Check your application’s documentation or dependency list to confirm.

For Power Users and Developers

If you maintain scripts or build pipelines on Windows that call curl or scp with libssh2 backends, your automation is vulnerable. CI/CD runners that pull code from private repositories or push artifacts to staging servers could be exploited if the runner connects to a malicious server. The attack surface grows when you consider Docker images and virtual environments that often carry outdated libssh2 versions.

Visual Studio’s built-in Git support also uses libssh2 under the hood. Any file-operation-based SSH connection made from within the IDE is at risk until the underlying library is updated.

For IT Administrators

Server-side Windows machines that embed libssh2 for outbound connections are less common, but not unheard of: some monitoring agents, backup scripts, and infrastructure-as-code tools rely on it. More critically, if you manage endpoints with a software catalog, you need to inventory every application that might bundle libssh2. Because it’s a library, a simple version check on the DLL won’t always reveal the version—you’ll need to query the application’s manifest or the official release notes.

Network-level mitigations are limited. If you control the SSH servers to which clients connect, you can reduce exposure by locking down those servers. But for connections to third-party services (GitHub, GitLab, managed SFTP endpoints), you depend on those providers not being compromised—and on your own transport security. A man-in-the-middle attack possible if SSH host keys aren’t strictly verified, which remains a common misconfiguration.

How We Got Here

Libssh2 has been a staple of the open-source ecosystem since 2005. Its lightweight design made it the go-to choice for embedding SSH in resource-constrained applications. Unlike its heavier cousin libssh, which provides a full session layer, libssh2 focuses on a minimal client-side implementation. Over the years, it accumulated a long list of contributors and was gradually adopted by major projects: curl added libssh2 support in 2005, Git for Windows integrated it in its 2.x series, and countless IoT devices use it under the hood.

The SFTP heap overread bug class isn’t new to libssh2. In 2019, CVE-2019-3858 revealed a similar out-of-bounds read in the same module, though through a different packet type. That incident led to a code audit and a series of patches, but the complexity of the SFTP protocol means that such errors can resurface. The current flaw appears to have been introduced in a 2023 refactoring that optimized packet parsing, as noted in the advisory from the libssh2 project.

The vulnerability was reportedly discovered by a security researcher during a red-team exercise targeting DevOps pipelines. It was privately disclosed to the libssh2 maintainers in May 2026, giving the project a month to prepare a fix before the June 12 coordinated release. The rapid development of an exploit is probable; proof-of-concept code already circulates in security research communities, though no in-the-wild attacks have been reported at the time of writing.

What to Do Now

Immediate Actions

  1. Identify libssh2 in your environment. Scan your Windows machine for libssh2.dll or libssh2-*.dll. Use a tool like where in Command Prompt or search within C:\Program Files and C:\Program Files (x86). Note the applications that contain it.
  2. Update libssh2 to 1.11.2 or later. If you have direct control over the library, download the latest binary from the official libssh2 website or via your package manager (Chocolatey: choco upgrade libssh2, Scoop: scoop update libssh2, or vcpkg).
  3. Update affected applications. Watch for vendor updates:
    - Git for Windows: The next release will include the patched library. Enable automatic updates or check manually using git update-git-for-windows.
    - curl for Windows: If you use the official build, download a new binary from the curl website. Third-party builds (e.g., from MSYS2) need to be refreshed via their respective package managers.
    - Docker Desktop: It bundles various libraries; pull the latest stable version.
    - VS Code: The embedded Git usually lags behind the official Git for Windows release. After updating Git system-wide, restart VS Code.
  4. For developers: If you link libssh2 statically, recompile your applications with the updated library and redistribute. If you consume it via NuGet or vcpkg, update the dependency reference.

Hardening Measures

  • Enforce strict host-key checking. In Git, set core.sshCommand to ssh -o StrictHostKeyChecking=yes. In scripts, pass the equivalent flag. This prevents man-in-the-middle attacks that could exploit the vulnerability even before a patch is applied.
  • Audit your CI/CD pipelines. Replace any hardcoded connections to staging servers that you don’t fully control. Consider isolating automated SSH traffic to a trusted network segment.
  • Reduce the attack surface. If your tool supports multiple SSH backends, switch to one that isn’t affected (e.g., OpenSSL-based SSH libraries). For curl, you can choose the openssh or wolfssh backend at compile time, though this is non-trivial on Windows.

For IT Administrators

  • Deploy a software inventory tool. Use something like PDQ Inventory or Microsoft Configuration Manager to locate all instances of libssh2.dll across your fleet.
  • Push updates via group policy or endpoint management. For Git for Windows, you can deploy the MSI update silently. For Portable Git, replace the folder contents.
  • Monitor network traffic. Look for anomalous SSH connections from client machines to unknown IPs, which could indicate a compromised server being used to trigger the bug.

Outlook

The libssh2 project has a responsive maintenance team, and the fix is straightforward. However, the real challenge is the ecosystem’s dependency chain. Even a week after disclosure, many downstream projects are still preparing releases. Historically, similar library bugs have lingered in the public for months because embedded components don’t get updated automatically.

Microsoft might integrate the fix into its own tooling—Visual Studio, PowerShell SSH commands, and WSL distros—on their next patch Tuesday or via an out-of-band update, but no official guidance has been published yet. Third-party maintainers for Chocolatey, Scoop, and MSYS2 typically move faster. Watch for advisories from your software vendors and apply updates as they become available.

For organizations, the incident underscores the importance of software bill of materials (SBOM) tracking. Without knowing exactly which libraries your tools rely on, you’re left scrambling with every new CVE. The silver lining: CVE-2025-15661 is a prompt for a much-needed audit of SSH dependencies, and the fix itself is a simple library swap. Stay vigilant, and keep your repositories and deployment scripts tightly controlled.