Reported

May 15, 2026

Issued

June 2, 2026

Package

russh (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2026-46673
• GHSA-g9f8-wqj9-fjw5

References

• https://github.com/Eugeny/russh/security/advisories/GHSA-g9f8-wqj9-fjw5
• https://github.com/Eugeny/russh/commit/a2d48a71fe93d18cbd666c8d53d0882f5ce110c4

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.60.3

Description

Both the SSH agent server and client accepted peer-controlled frame lengths without enforcing a maximum frame size. This could cause large memory allocations while parsing a maliciously crafted agent frame.

A malicious peer could advertise an oversized frame length, causing the client or server to attempt a large memory allocation before validating the frame, potentially leading to memory exhaustion or process termination.

This is fixed by enforcing a maximum agent frame size of 256 KiB and rejecting oversized frames before buffer allocation.

Advisory available under CC0-1.0 license.