Description
Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet. This issue has been patched in version 0.61.0.
Published: 2026-06-10
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw occurs in the Russh client during the keyboard-interactive authentication path. A malicious SSH server can send a USERAUTH_INFO_REQUEST packet containing an attacker‑controlled prompt count. The client uses that raw count to allocate a vector before verifying that enough prompt data is actually present. The unchecked count can lead to an out‑of‑bounds allocation or a crash, causing the client or application to terminate unexpectedly.

Affected Systems

The vulnerability affects the Russh library from version 0.37.0 up to, but excluding, 0.61.0. Only the Eugeny:russh product family is impacted.

Risk and Exploitability

The CVSS score of 6.5 marks this vulnerability as having moderate severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, indicating limited public exploitation data. The attack can be performed by any entity running a rogue SSH server that connects to a client using the affected Ru ssh library. Exploitation would result in memory allocation errors and a crash, delivering a denial‑of‑service impact to the client side.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Russh library to version 0.61.0 or later.
  • Rebuild all dependent code to ensure that no component references a version of Russh older than 0.61.0.
  • If an urgent upgrade is not possible, modify the client’s authentication handling to validate the prompt count against the actual amount of prompt data received and reject or limit requests that exceed reasonable bounds.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Eugeny
Eugeny russh
Vendors & Products Eugeny
Eugeny russh

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet. This issue has been patched in version 0.61.0.
Title Russh: Unchecked keyboard-interactive prompt count in client auth path
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Eugeny Russh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:23:45.325Z

Reserved: 2026-05-20T18:46:58.287Z

Link: CVE-2026-48107

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:00.983

Modified: 2026-06-10T22:17:00.983

Link: CVE-2026-48107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses
  • CWE-20

    Improper Input Validation