Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Pre-auth SSH decode flaw reachable over the network with no user interaction; impact is availability-only via over-allocation, with no confidentiality or integrity effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 cargo packages depend on russh (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.34.0.
DescriptionCVE.org
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.
AnalysisAI
Denial of service in Russh (Rust SSH client/server library) versions 0.34.0 through 0.60.x allows remote SSH peers to trigger excessive memory allocation by sending oversized, high-fanout, or malformed length-prefixed SSH strings, name-lists, and byte fields before field-specific bounds checks are applied. The flaw affects both client and server message handlers and impacts availability only (CVSS 7.5, C:N/I:N/A:H). No public exploit identified at time of analysis.
Technical ContextAI
Russh is a pure-Rust implementation of the SSH2 protocol used as both a client and server library, typically embedded in applications that need programmatic SSH (e.g., bastions, automation, custom servers). The root cause is CWE-20 (Improper Input Validation): the SSH wire format uses length-prefixed strings, name-lists, and byte arrays (RFC 4251 §5), and Russh's decoders allocated owned buffers sized from those attacker-controlled length fields - or eagerly split/iterated over high-fanout name-lists - before enforcing the per-field maximums that the protocol logic later expected. This lets a peer drive the process toward over-allocation during the early decode stage rather than being rejected at the framing layer.
RemediationAI
Vendor-released patch: russh 0.61.0 - upgrade the russh dependency in Cargo.toml to >=0.61.0 and rebuild/redeploy all consuming binaries (cargo update -p russh), then verify the lockfile no longer references a 0.34.0-0.60.x release. Consult the GHSA at https://github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr for the exact patched commits. If immediate upgrade is not possible, compensating controls include restricting inbound SSH to known source IPs at the firewall (reduces but does not eliminate exposure if any allowed peer is malicious), placing the russh-based server behind a hardened SSH bastion or proxy that terminates and re-frames SSH (adds latency and operational complexity), and applying per-process memory cgroup/ulimit caps so an over-allocation crashes only the worker rather than the host (causes legitimate sessions to fail under load). For russh used as a client, avoid connecting to untrusted SSH servers until patched.
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Russh is a Rust SSH client & server library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,
russh is a Rust SSH client and server library. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploita
Pre-authentication denial-of-service in russh SSH server library allows remote attackers to crash servers implementing k
Denial of service in Russh (versions 0.37.0-0.60.x), a Rust SSH client and server library, allows a malicious SSH server
Russh is a Rust SSH client & server library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitabl
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36131
GHSA-4r3c-5hpg-58qr