CVE-2026-48107

MEDIUM

Russh: Unchecked keyboard-interactive prompt count in client auth path

Title source: cna

Description

Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet. This issue has been patched in version 0.61.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Eugeny/russh/security/advisories/GHSA-g9g7-5cgw-6v28

Scores

CVSS v3 6.5

EPSS 0.0023

EPSS Percentile 13.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (2)

crates.io/russh 0.37.0 - 0.61.0crates.io

Eugeny/russh >= 0.37.0, < 0.61.0

Published Jun 10, 2026

Tracked Since Jun 11, 2026