Security: Eugeny/russh
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
SSH message fields were decoded through allocation-first parsers before field-specific boundsGHSA-4r3c-5hpg-58qr published
May 20, 2026 by EugenyHigh -
SSH identification parsing accepted non-canonical client banners and did not bound pre-banner inputGHSA-76r6-x97p-67vr published
May 20, 2026 by EugenyModerate -
russh server userauth state is not reset when authentication principal changesGHSA-hpv4-5h6f-wqr3 published
May 20, 2026 by EugenyModerate -
Unchecked keyboard-interactive prompt count in `russh` client auth pathGHSA-g9g7-5cgw-6v28 published
May 20, 2026 by EugenyModerate -
Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packetsGHSA-wwx6-x28x-8259 published
May 23, 2026 by EugenyHigh -
Unchecked CryptoVec allocation and growth handling is reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releasesGHSA-g9f8-wqj9-fjw5 published
May 15, 2026 by EugenyHigh -
Pre-auth DoS via unbounded allocation in keyboard-interactive authGHSA-f5v4-2wr6-hqmg published
Apr 20, 2026 by EugenyHigh -
Missing overflow check during channel windows adjustGHSA-h5rc-j5f5-3gcm published
Aug 4, 2025 by EugenyModerate -
OOM Denial of Service due to allocation of untrusted amountGHSA-vgvv-x7xg-6cqg published
Aug 14, 2024 by EugenyHigh -
Prefix Truncation Attack (a.k.a. Terrapin Attack) against ChaCha20-Poly1305 and Encrypt-then-MACGHSA-45x7-px36-x8w8 published
Dec 18, 2023 by EugenyModerate