CVE-2026-46673

HIGH

Russh < 0.60.3 CryptoVec - Unbounded Allocation Resource Exhaustion

Title source: manual

Description

Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Eugeny/russh/security/advisories/GHSA-g9f8-wqj9-fjw5

Scores

CVSS v3 7.5

EPSS 0.0046

EPSS Percentile 36.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

crates.io/russh 0 - 0.60.3crates.io

crates.io/russh-cryptovec 0 - 0.60.3crates.io

Eugeny/russh < 0.60.3

Published Jun 10, 2026

Tracked Since Jun 11, 2026