CVE-2026-46673

7.5 HIGH

Russh is a Rust SSH client & server library

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770

Description

Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-53460 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
CVE-2026-46702 — Russh is a Rust SSH client & server library (7.5 HIGH)
CVE-2026-45031 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)
CVE-2026-10740 — Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a... (5.3 MEDIUM)
CVE-2026-24720 — An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6