Description
Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Russh’s CryptoVec performs unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths for its internal buffers. The bug allows attacker-controlled frame lengths to be used in buffer growth before validation, exposing the library to buffer overflows or other memory corruption issues. This is captured by CWE‑770. Based on the description, the impact could potentially result in denial of service or possibly arbitrary code execution if the corruption is leveraged in a larger attack context.

Affected Systems

The vulnerability affects the Rust SSH client and server library published by Eugeny, named russh. Any release prior to 0.60.3 is affected when local SSH agent peers provide inputs, while versions before 0.58.0 also expose the flaw to remote SSH traffic through transport and compression buffers.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity. The EPSS score is not available, so the exact likelihood of exploitation cannot be quantified, but the bug is listed outside the CISA KEV catalog. Attackers who can reach the local SSH agent inputs may exploit the unchecked buffer growth, and remote attackers can trigger the flaw against older releases via normal SSH traffic. Based on the description, the potential impact is likely significant for systems employing older russh versions.

Generated by OpenCVE AI on June 10, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade russh to version 0.60.3 or a newer release that contains the patch.
  • If an immediate upgrade is not possible, limit local SSH agent input to trusted peers or disable agent forwarding to prevent attacker-controlled frame lengths from reaching CryptoVec.
  • For deployments using russh versions older than 0.58.0, either upgrade to the patched series or migrate to a different SSH library to eliminate remote exposure through transport and compression buffers.

Generated by OpenCVE AI on June 10, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9f8-wqj9-fjw5 Russh: Unchecked CryptoVec allocation and growth handling is reachable
History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Eugeny
Eugeny russh
Vendors & Products Eugeny
Eugeny russh

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.
Title Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releases
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Eugeny Russh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:16:28.001Z

Reserved: 2026-05-15T21:46:51.547Z

Link: CVE-2026-46673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:00.167

Modified: 2026-06-10T22:17:00.167

Link: CVE-2026-46673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling