CVE-2026-54700

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation

Summary

The SSH protocol parser trusted attacker-controlled length and count fields without first checking that the declared values fit within the containing packet.

When a client connects to a malicious or compromised SSH server, the server can send a small, malformed packet containing an inner field whose declared length is much larger than the packet itself. The Kaitai Struct Java runtime attempts to allocate a byte array using the declared length before it discovers that the input is truncated. A sufficiently large value can therefore cause excessive memory allocation or an uncaught OutOfMemoryError, potentially terminating the application process that uses the library.

Applications that enable SSH agent forwarding have an additional attack path: the connected server can send malformed agent protocol messages containing the same class of oversized inner length.

Details

SSH uses unsigned 32-bit length prefixes for strings and other protocol structures. Before the fix, several Kaitai Struct definitions passed these lengths directly to generated parsing code. For example, the byte-string definition read a uint32 followed by an array of that size without validating the size against the bytes remaining in the current stream.

The SSH transport limits the size of an outer packet, but an inner field in that packet could still declare a length approaching the Java array size limit. The Kaitai runtime allocates the destination array before reading from the bounded input stream. Consequently, an attacker does not need to transmit an equally large packet to trigger the allocation attempt.

Malformed count fields could also cause parsers to attempt an unreasonable number of repeated elements. The fix validates both byte lengths and element counts against the size of their containing stream.

Parsing failures previously surfaced inconsistently as unchecked runtime exceptions. The fixed version converts malformed SSH packets to a transport protocol error and returns an SSH agent failure response for malformed agent requests.

Attack Requirements

For the general SSH packet path:

  • A user or application must initiate a connection to an attacker-controlled or compromised SSH server.
  • Authentication is not required.
  • No optional library feature is required.
  • The server only needs to return a malformed SSH packet containing an oversized inner length or count.

For the agent protocol path, SSH agent forwarding must additionally be enabled.

Impact

Successful exploitation can cause excessive heap allocation and loss of availability of the application process. In constrained environments, a single small malicious packet can cause an OutOfMemoryError.

No confidentiality or integrity impact has been demonstrated.

Remediation

Upgrade to version 0.3.1 or later.

The fix:

  • Validates length-prefixed fields against the remaining bytes in their containing Kaitai stream.
  • Validates repeated-element counts against the minimum encoded size of each element.
  • Validates SSH transport and agent frame lengths and padding constraints.
  • Converts malformed SSH packet parsing failures into TransportException.
  • Returns SSH_AGENT_FAILURE for malformed forwarded-agent requests instead of allowing parser exceptions to escape.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

June 12, 2026

Last Modified

June 12, 2026

Vendor Advisories for CVE-2026-54700(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
mavenorg.connectbot.sshlib:sshlibghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 3× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-11 17:26 UTCGHSA enrichment
  2. 2026-07-08 17:45 UTCEG score recompute
  3. 2026-07-08 17:45 UTCGHSA enrichment

Frequently asked(3)

What is CVE-2026-54700?
CVE-2026-54700 is a medium vulnerability published on June 12, 2026. ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation Summary The SSH protocol parser trusted attacker-controlled length and count fields without first checking that the declared values fit within the containing packet. When a client connects to a…
When was CVE-2026-54700 disclosed?
CVE-2026-54700 was first published in the National Vulnerability Database on June 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-54700?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54700, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54700

Explore →

Is Your Infrastructure Affected by CVE-2026-54700?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.