CVE-2026-54697

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing

Summary

The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays.

A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught OutOfMemoryError, potentially terminating the application process.

Details

The issue was in DerReader.readLength() and primitive readers such as readInteger().

readLength() previously accepted up to 127 length octets and accumulated them into an Int:

length = (length shl 8) or nextByte

This permitted integer overflow. For example:

  • 0x1_0000_0001 wrapped to 1.
  • 0x8000_0000 wrapped to Int.MIN_VALUE.

Primitive readers then allocated memory based on the resulting value without first checking it against the remaining input:

val bytes = ByteArray(length)
data.get(bytes)

A six-byte DER value declaring a 1 GiB INTEGER caused an immediate OutOfMemoryError when tested with a constrained JVM heap. Because OutOfMemoryError is not an Exception, it is not caught by the public-key authentication error handling and may terminate the application process.

A zero-length DER INTEGER is also invalid, but it does not produce BigInteger.ZERO: Java throws NumberFormatException when constructing a BigInteger from an empty byte array. No weakened or usable cryptographic key has been demonstrated through this issue.

Attack Requirements

The affected DER parser processes private-key material explicitly supplied by the application through APIs such as:

  • SshClient.authenticatePublicKey()
  • SshKeys.decodePemPrivateKey()
  • SshSigning.sign()
  • SshSigning.getPublicKey()

The DER input is not populated from SSH server host keys or agent-forwarding requests. Exploitation therefore requires a user or application to load an attacker-provided private-key file. The issue is not remotely exploitable by an SSH server.

Impact

Successful exploitation can cause:

  • Incorrect DER length interpretation due to integer wraparound
  • Excessive memory allocation
  • An uncaught OutOfMemoryError
  • Loss of availability of the affected application process

There is no demonstrated confidentiality or integrity impact.

Remediation

The DER parser now:

  • Rejects indefinite lengths
  • Explicitly limits long-form lengths to Int.SIZE_BYTES (four octets) and rejects values above Int.MAX_VALUE
  • Accumulates long-form lengths in a Long before converting to Int
  • Rejects truncated and non-minimal length encodings
  • Checks declared lengths against the remaining input before allocation or advancing the input position
  • Rejects zero-length DER INTEGER, BIT STRING, and OBJECT IDENTIFIER values where an empty encoding is invalid
  • Rejects non-canonical DER INTEGER encodings with redundant sign octets

The bounds checks are implemented in shared DER reader helpers and apply to INTEGER, OCTET STRING, BIT STRING, OBJECT IDENTIFIER, SEQUENCE, context-specific values, and skipped values. PKCS#1 RSA and SEC1 EC private keys pass application-supplied DER directly through these helpers. PKCS#8 input is parsed by the JCA provider, and OpenSSH private keys use a separate wire-format parser rather than DerReader.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

June 12, 2026

Last Modified

June 12, 2026

Vendor Advisories for CVE-2026-54697(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
mavenorg.connectbot.sshlib:sshlibghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 3× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-11 18:13 UTCGHSA enrichment
  2. 2026-07-08 17:45 UTCEG score recompute
  3. 2026-07-08 17:45 UTCGHSA enrichment

Frequently asked(3)

What is CVE-2026-54697?
CVE-2026-54697 is a medium vulnerability published on June 12, 2026. ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing Summary The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays. A malformed private-key file…
When was CVE-2026-54697 disclosed?
CVE-2026-54697 was first published in the National Vulnerability Database on June 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-54697?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54697, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54697

Explore →

Is Your Infrastructure Affected by CVE-2026-54697?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.