russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler — CVE-2026-42189
GitHub · GitHub · CVE-2026-42189
ID
CVE-2026-42189
CVE-2026-42189
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.5
7.5
EPSS
0.00084
0.00084
Summary
## Summary A pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. ## Vulnerability Details In `russh/src/server/encrypted.rs`, the function `read_userauth_info_response` decodes a…
Product
rust: russh
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.