Description
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Russh, a Rust SSH client and server library, contains a pre‑authentication denial‑of‑service flaw in the server's keyboard‑interactive authentication handler. An attacker who connects to a russh‑based server can send a single malformed packet during the keyboard‑interactive phase, causing an unbounded memory allocation that crashes the server. The flaw is a classic memory exhaustion bug identified as CWE‑770 and CWE‑789, and it allows an attacker to disrupt service without authentication, affecting availability.

Affected Systems

Russh versions prior to 0.60.1, distributed by the vendor Eugeny (Eugeny:russh), are affected when keyboard‑interactive authentication is enabled. The library is employed in SSH servers for 2FA/TOTP, and any server that incorporates russh before 0.60.1 and exposes this method is vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is of high severity, though no exploit probability score is currently available. The attack does not require credentials or complex setup; a simple malformed packet over a normal SSH connection will trigger the crash. Because the issue is not listed in the CISA KEV catalog and no public exploits are known, the immediate risk is low to moderate, but organisations that expose russh servers should patch promptly to avoid accidental denial of service.

Generated by OpenCVE AI on May 8, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the russh library to version 0.60.1 or later.
  • Disable or remove keyboard‑interactive authentication on servers using russh until the upgrade can be applied.
  • If immediate upgrade is impossible, apply a custom patch that limits the size of incoming keyboard‑interactive packets to prevent the unbounded allocation.

Generated by OpenCVE AI on May 8, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f5v4-2wr6-hqmg russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler
History

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Eugeny
Eugeny russh
Vendors & Products Eugeny
Eugeny russh

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
Title Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth
Weaknesses CWE-770
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Eugeny Russh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:49:51.179Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42189

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:31.443

Modified: 2026-05-08T20:16:31.443

Link: CVE-2026-42189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:00:15Z

Weaknesses