russh
crates.io11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting russhpage 1 of 1
- CVE-2023-28113MEDIUMCVSS 5.9EG 5.9✓ Fixed in 0.37.12023-03-16
russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentialit…
- CVE-2023-48795MEDIUMCVSS 5.9EG 5.9✓ Fixed in 0.40.22023-12-18
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and…
- CVE-2024-43410HIGHCVSS 7.5EG 7.5✓ Fixed in 0.44.12024-08-21
Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. Af…
- CVE-2025-54804MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.54.12025-08-05
Russh is a Rust SSH client & server library. In versions 0.54.0 and below, the channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementati…
- CVE-2026-42189HIGHCVSS 7.5EG 7.5✓ Fixed in 0.60.12026-05-08
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based ser…
- CVE-2026-46673HIGHCVSS 7.5EG 7.5✓ Fixed in 0.60.32026-05-21
Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still …
- CVE-2026-46702HIGHCVSS 7.5EG 7.5✓ Fixed in 0.61.12026-05-29
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose dec…
- CVE-2026-46705MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.61.02026-05-29
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state whe…
- CVE-2026-48107MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.61.02026-06-10
Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled …
- CVE-2026-48108MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.61.02026-06-10
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader us…
- CVE-2026-48110HIGHCVSS 7.5EG 7.5✓ Fixed in 0.61.02026-06-10
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before …
Check whether russh is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for russh CVEs against the assets you own.
Start Free Scan →