VYPR
← All advisories
High severity7.5NVD Advisory· Published May 8, 2026· Updated May 14, 2026

CVE-2026-42189

CVE-2026-42189

Description

Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
russhcrates.io
< 0.60.10.60.1

Patches

1
6c3c80a9b6d6

Merge commit from fork

https://github.com/Eugeny/russhCorey LeavittApr 20, 2026via nvd-ref
commit
1 file changed · +7 1
  • russh/src/server/encrypted.rs+7 1 modified
    @@ -522,7 +522,13 @@ async fn read_userauth_info_response<H: Handler + Send, R: Reader>(
     if let Some(CurrentRequest::KeyboardInteractive { ref submethods }) = auth_request.current {
         let n = map_err!(u32::decode(r))?;
 
-        let mut responses = Vec::with_capacity(n as usize);
+        // Bound both allocation and iteration by remaining packet data to
+        // prevent a malicious client from causing a multi-GB allocation or
+        // billions of loop iterations with a crafted count.
+        // Each response needs at least 4 bytes (length prefix).
+        let max_responses = r.remaining_len().saturating_add(3) / 4;
+        let n = (n as usize).min(max_responses);
+        let mut responses = Vec::with_capacity(n);
         for _ in 0..n {
             responses.push(Bytes::decode(r).ok())
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.