Moderate severityNVD Advisory· Published Aug 5, 2025· Updated Aug 5, 2025

Russh is missing an overflow check during channel windows adjust

CVE-2025-54804

Description

Russh is a Rust SSH client & server library. In versions 0.54.0 and below, the channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. This is fixed in version 0.54.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Russh SSH library up to 0.54.0 has an integer overflow in channel window adjust handling, allowing a malicious client to crash a server via panic.

Vulnerability

Overview

The Russh Rust SSH client/server library, in versions 0.54.0 and below, contains an integer overflow vulnerability in the handling of SSH channel window adjust messages. The channel.recipient_window_size field is incremented by a value parsed directly from the message without any overflow check [1][3]. According to RFC 4254, the window size must not exceed 2^32 - 1, but the implementation simply adds the amount to the internal state, which can cause an arithmetic overflow [3].

Exploitation

A malicious client can send a crafted SSH_MSG_CHANNEL_WINDOW_ADJUST message with a large amount value (e.g., u32::MAX) to the server. When the server processes the message, the addition overflows. If the library is compiled with Rust's default overflow checks (enabled in debug mode or via flags), the process will panic, crashing the server [1][3]. The vulnerability affects both client and server code paths (server/encrypted.rs and client/encrypted.rs), but the server-facing impact is considered more critical because one user can deny service to all others [3].

Impact

Successful exploitation allows an unauthenticated attacker to crash a Russh-based SSH server, leading to a denial of service. While a malicious server could similarly crash a single client, the primary risk is to server availability [3]. There is no indication of remote code execution or data corruption as a result of this bug.

Mitigation

The issue has been patched in Russh version 0.54.1. The fix replaces the vulnerable addition with saturating_add, which prevents overflow by clamping the result to the maximum value [2][4]. Users are strongly advised to update to 0.54.1 or later. There is no known workaround other than upgrading [1][3].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
russhcrates.io	< 0.54.1	0.54.1

Affected products

Russh/Russhllm-create
Range: <=0.54.0
Eugeny/russhv5
Range: < 0.54.1

Patches

0eb5e4067808

fixed GHSA-h5rc-j5f5-3gcm - missing overflow check in channel window adjust

https://github.com/Eugeny/russhEugeneAug 4, 2025via ghsa

commit

2 files changed · +4 −4

russh/src/client/encrypted.rs+2 −2 modified

@@ -539,8 +539,8 @@ impl Session {
                 debug!("channel_window_adjust amount: {:?}", amount);
                 if let Some(ref mut enc) = self.common.encrypted {
                     if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) {
-                        channel.recipient_window_size += amount;
-                        new_size = channel.recipient_window_size;
+                        new_size = channel.recipient_window_size.saturating_add(amount);
+                        channel.recipient_window_size = new_size;
                     } else {
                         return Err(crate::Error::WrongChannel.into());
                     }

russh/src/server/encrypted.rs+2 −2 modified

@@ -659,8 +659,8 @@ impl Session {
                 let mut new_size = 0;
                 if let Some(ref mut enc) = self.common.encrypted {
                     if let Some(channel) = enc.channels.get_mut(&channel_num) {
-                        channel.recipient_window_size += amount;
-                        new_size = channel.recipient_window_size;
+                        new_size = channel.recipient_window_size.saturating_add(amount);
+                        channel.recipient_window_size = new_size;
                     } else {
                         return Err(Error::WrongChannel.into());
                     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h5rc-j5f5-3gcmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-54804ghsaADVISORY
github.com/Eugeny/russh/commit/0eb5e406780890e21ff71dd25d731b30676478e5ghsax_refsource_MISCWEB
github.com/Eugeny/russh/security/advisories/GHSA-h5rc-j5f5-3gcmghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000