Description
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Russh, a Rust SSH client and server library, contains a pre‑authentication denial‑of‑service flaw in the server's keyboard‑interactive authentication handler. An attacker who connects to a russh‑based server can send a single malformed packet during the keyboard‑interactive phase, causing an unbounded memory allocation that crashes the server. The flaw is a classic memory exhaustion bug identified as CWE‑770 and CWE‑789, and it allows an attacker to disrupt service without authentication, affecting availability.

Affected Systems

Russh versions prior to 0.60.1, distributed by the vendor Eugeny (Eugeny:russh), are affected when keyboard‑interactive authentication is enabled. The library is employed in SSH servers for 2FA/TOTP, and any server that incorporates russh before 0.60.1 and exposes this method is vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is of high severity, though no exploit probability score is currently available. The attack does not require credentials or complex setup; a simple malformed packet over a normal SSH connection will trigger the crash. Because the issue is not listed in the CISA KEV catalog and no public exploits are known, the immediate risk is low to moderate, but organisations that expose russh servers should patch promptly to avoid accidental denial of service.

Generated by OpenCVE AI on May 8, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the russh library to version 0.60.1 or later.
  • Disable or remove keyboard‑interactive authentication on servers using russh until the upgrade can be applied.
  • If immediate upgrade is impossible, apply a custom patch that limits the size of incoming keyboard‑interactive packets to prevent the unbounded allocation.

Generated by OpenCVE AI on May 8, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f5v4-2wr6-hqmg russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler
History

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Russh Project
Russh Project russh
Warpgate Project
Warpgate Project warpgate
CPEs cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*
cpe:2.3:a:warpgate_project:warpgate:*:*:*:*:*:*:*:*
Vendors & Products Russh Project
Russh Project russh
Warpgate Project
Warpgate Project warpgate

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Eugeny
Eugeny russh
Vendors & Products Eugeny
Eugeny russh

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
Title Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth
Weaknesses CWE-770
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Eugeny Russh
Russh Project Russh
Warpgate Project Warpgate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T14:23:49.308Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42189

cve-icon Vulnrichment

Updated: 2026-05-11T14:23:45.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T20:16:31.443

Modified: 2026-05-14T18:07:22.943

Link: CVE-2026-42189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:00:15Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling

  • CWE-789

    Memory Allocation with Excessive Size Value