CVE-2026-48107
Deferred Deferred - Pending Action

Heap-based Buffer Overflow in Russh SSH Client Library

Vulnerability report for CVE-2026-48107, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet. This issue has been patched in version 0.61.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
russh russh to 0.61.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the russh Rust SSH client library versions from 0.37.0 up to but not including 0.61.0. It occurs in the keyboard-interactive authentication process, where a malicious SSH server can send a USERAUTH_INFO_REQUEST message with a crafted prompt count. The russh client uses this attacker-controlled prompt count directly to allocate memory (using Vec::with_capacity) without first verifying that the packet contains enough prompt data. This can lead to improper handling of memory allocation.

Impact Analysis

The vulnerability can impact users by causing a denial of service (DoS) condition. Since the client allocates memory based on an unvalidated prompt count, a malicious SSH server could exploit this to cause the client application to crash or behave unexpectedly. According to the CVSS score, the impact is rated as having high availability impact but no confidentiality or integrity impact.

Mitigation Strategies

To mitigate this vulnerability, upgrade the russh client library to version 0.61.0 or later, where the issue has been patched.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring SSH client interactions for unusual or malformed USERAUTH_INFO_REQUEST messages during keyboard-interactive authentication. Specifically, detection involves identifying SSH servers sending an attacker-controlled prompt count that is excessively large or inconsistent with the packet length.

Since the issue occurs in the russh client library versions 0.37.0 to 0.60.2, verifying the version of russh in use on your systems is a primary step.

  • Check the russh client version installed on your system to ensure it is 0.61.0 or later, which contains the patch.
  • Use network packet capture tools like tcpdump or Wireshark to capture SSH traffic and inspect USERAUTH_INFO_REQUEST messages for abnormal prompt counts.
  • Example tcpdump command to capture SSH traffic: sudo tcpdump -i <interface> port 22 -w ssh_traffic.pcap
  • Analyze the captured packets with Wireshark, filtering for SSH USERAUTH_INFO_REQUEST messages and checking the prompt count fields for unusually large values.
  • Review client-side logs for crashes or resource exhaustion symptoms during SSH keyboard-interactive authentication attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart