Skip to main content

russh CVE-2026-42189

| EUVDEUVD-2026-28822 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-08 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:33 vuln.today
Analysis Generated
May 08, 2026 - 20:33 vuln.today
CVE Published
May 08, 2026 - 19:49 nvd
HIGH 7.5

DescriptionGitHub Advisory

Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.

AnalysisAI

Pre-authentication denial-of-service in russh SSH server library allows remote attackers to crash servers implementing keyboard-interactive authentication via a single malformed packet. Affects russh versions prior to 0.60.1. Attacker sends crafted SSH_MSG_USERAUTH_INFO_RESPONSE with inflated allocation count (e.g., 0x10000000), triggering multi-gigabyte memory allocation and OOM crash before any credential validation occurs. Vendor-released patch available (v0.60.1) bounds allocation to remaining packet data. Confirmed working exploit code exists per GitHub security advisory GHSA-f5v4-2wr6-hqmg. CVSS 7.5 (High) with network vector, low complexity, no privileges required.

Technical ContextAI

The vulnerability lies in russh's implementation of SSH RFC 4256 keyboard-interactive authentication. The server's read_userauth_info_response function in russh/src/server/encrypted.rs decodes a client-controlled u32 count field from SSH_MSG_USERAUTH_INFO_RESPONSE packets and passes it directly to Vec::with_capacity() without validation. In Rust, Vec::with_capacity(n) pre-allocates memory for n elements, where each element is Option<Bytes> (~24 bytes on 64-bit systems). A malicious client can specify n=0x10000000 (268 million) in a minimal ~50-byte packet, forcing the server to attempt allocating ~6.4GB of contiguous memory, exceeding system limits and triggering OOM termination. This is a classic CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerability in the SSH protocol implementation layer. The issue occurs during the authentication negotiation phase, specifically when the server sends keyboard-interactive prompts (common for 2FA/TOTP implementations) and awaits client responses. The attack exploits the gap between SSH key exchange (which establishes encryption but not authentication) and actual credential validation.

RemediationAI

Upgrade russh to version 0.60.1 or later, which implements allocation bounds based on remaining packet data (commit 6c3c80a9b6d60763d6227d60fa8310e57172a4d1). The fix limits Vec::with_capacity(n) to max_responses = (r.remaining_len() + 3) / 4, preventing multi-GB allocations from small packets. Update Cargo.toml dependency: russh = "0.60.1", rebuild, and redeploy. For environments unable to immediately upgrade: (1) Disable keyboard-interactive authentication at the handler level by ensuring auth_keyboard_interactive returns Auth::reject() instead of Auth::Partial - trade-off: loss of 2FA/TOTP workflows; (2) Deploy rate-limiting at the network edge (firewall/load balancer) to throttle SSH connection attempts per source IP - trade-off: legitimate users may be blocked during bursts, and attackers can rotate IPs to bypass; (3) Set conservative memory limits (e.g., Linux cgroup memory.max) for the russh server process to trigger controlled restart rather than system-wide OOM - trade-off: same DoS outcome but protects other services. Patch is strongly preferred; workarounds only buy time. Advisory: https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg. Commit diff: https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1.

Share

CVE-2026-42189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy