An attacker can do this by sending the SSH server "SSH2_MSG_USERAUTH_SUCCESS" message instead of the "SSH2_MSG_USERAUTH_REQUEST" message that a server usually expects (...)
The vulnerability, which is tracked as CVE-2018-10933, was introduced in libssh 0.6.0, released in January 2014. The libssh team released versions 0.8.4 and 0.7.6 yesterday to address this bug.
This is what happens when you don't test your protocol implementation. Good thing it only took four and a half year to discover. Sadly, that's two and a half years less than the average
for zero-day exploits.