The vulnerability in the russh library arises from parsing attacker‑controlled SSH strings, name‑lists, and byte fields into owned buffers before enforcing field‑specific bounds. An adversary who can initiate a remote SSH session can send oversized, high‑fanout, or malformed length‑prefixed fields that cause the library to allocate large or split data buffers. This can lead to excessive memory consumption or a crash, resulting in a denial of service for the application or system that uses the library. The misuse of allocation‑first parsers constitutes an unchecked input boundary error.

Affected systems are projects that depend on the russh SSH client and server library from version 0.34.0 up to, but not including, version 0.61.0, which is released under the aegis of the Eugeny:russh vendor. Any deployment that processes SSH traffic through these library versions—whether as a client, server, or intermediary—puts an active or passive SSH peer in a position to trigger the flaw. The vulnerability surfaces when the peer transmits SSH messages that are decoded before bounds enforcement.

The CVSS score of 7.5 indicates high severity, and the absence of an EPSS figure means current public exploitation data is unavailable. The flaw is not presently listed in the CISA KEV catalog. Because the attack vector is remote, over a network connection, and requires no local privileges, an attacker can exploit the issue by simply establishing an SSH session and sending crafted messages. Organizations should treat this as a significant denial‑of‑service risk and anticipate that exploitability could be achieved by well‑equipped adversaries, especially those targeting SSH‑exposed services.