High severityNVD Advisory· Published Aug 21, 2024· Updated Aug 21, 2024

Russh has an OOM Denial of Service due to allocation of untrusted amount

CVE-2024-43410

Description

Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated users can cause OOM on russh SSH servers by sending a crafted packet with a large length field, leading to denial of service.

CVE-2024-43410 is a critical vulnerability in the Russh Rust SSH library (client and server) that allows any unauthenticated remote attacker to trigger an Out-Of-Memory (OOM) condition on a server, causing a denial of service. The vulnerability stems from the library's handling of incoming SSH packets. An SSH packet begins with a 4-byte big-endian length field that specifies the size of the subsequent byte stream. As a performance optimization, Russh pre-allocates memory for this entire byte stream based solely on the untrusted length value, without performing any validation checks [1][3].

Exploitation is straightforward and requires no authentication. An attacker can simply connect to a Russh server, send a standard SSH banner, and then transmit a crafted packet where the 4-byte length field is set to an arbitrarily large value (e.g., 0xFFFFFF00). The server will parse this length, allocate memory of that requested size, and repeat the process for subsequent requests. This quickly exhausts available memory, causing the server process to terminate due to OOM [3]. The provided reference includes a proof-of-concept (PoC) that demonstrates this attack against the library's echoserver example [3].

The impact is a complete denial of service for the SSH server, making it unavailable to legitimate users. No sensitive data is compromised, but service reliability is severely impacted. While the RFC 4253 specification notes that implementations should check packet lengths for reasonableness to avoid such attacks, Russh versions prior to 0.44.1 did not implement this check [3].

This vulnerability is fixed in Russh version 0.44.1. The fix introduces a MAXIMUM_PACKET_LEN constant set to 256 KiB (256 * 1024 bytes). Before allocating memory for the packet payload, the code now validates that the parsed length does not exceed this maximum, returning an error (Error::PacketSize(len)) if it does. All users running Russh server instances are strongly advised to upgrade to version 0.44.1 or later to mitigate this denial-of-service risk [4]. As of this publication, CVE-2024-43410 is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
russhcrates.io	< 0.44.1	0.44.1

Affected products

ghsa-coords
pkg:cargo/russh
Range: < 0.44.1
Eugeny/russhv5
Range: < 0.44.1

Patches

f660ea3f64b8

fixed GHSA-vgvv-x7xg-6cqg - OOM Denial of Service due to allocation of untrusted packet size

https://github.com/Eugeny/russhEugeneAug 14, 2024via ghsa

commit

2 files changed · +12 −1

russh/src/cipher/mod.rs+8 −1 modified

@@ -240,7 +240,13 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>(
             buffer.buffer.extend(&len);
             debug!("reading, seqn = {:?}", seqn);
             let len = cipher.decrypt_packet_length(seqn, &len);
-            buffer.len = BigEndian::read_u32(&len) as usize + cipher.tag_len();
+            let len = BigEndian::read_u32(&len) as usize;
+
+            if len > MAXIMUM_PACKET_LEN {
+                return Err(Error::PacketSize(len));
+            }
+
+            buffer.len = len + cipher.tag_len();
             debug!("reading, clear len = {:?}", buffer.len);
         }
     }
@@ -278,5 +284,6 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>(
 pub(crate) const PACKET_LENGTH_LEN: usize = 4;
 
 const MINIMUM_PACKET_LEN: usize = 16;
+const MAXIMUM_PACKET_LEN: usize = 256 * 1024;
 
 const PADDING_LENGTH_LEN: usize = 1;

russh/src/lib.rs+4 −0 modified

@@ -221,6 +221,10 @@ pub enum Error {
     #[error("Wrong server signature")]
     WrongServerSig,
 
+    /// Excessive packet size.
+    #[error("Bad packet size: {0}")]
+    PacketSize(usize),
+
     /// Message received/sent on unopened channel.
     #[error("Channel not open")]
     WrongChannel,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vgvv-x7xg-6cqgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-43410ghsaADVISORY
github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55ghsax_refsource_MISCWEB
github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqgghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000