GHSA-G9G7-5CGW-6V28

Vulnerability from github – Published: 2026-06-11 20:28 – Updated: 2026-06-11 20:28
VLAI
Summary
Russh: Unchecked keyboard-interactive prompt count in client auth path
Details

Summary

In the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet.

This is a client-side denial-of-service / resource-exhaustion issue on the keyboard-interactive auth path.

Details

The vulnerable code path is in:

  • russh/src/client/encrypted.rs

When the client is in CurrentRequest::KeyboardInteractive state and receives SSH_MSG_USERAUTH_INFO_REQUEST, it parses:

  1. name
  2. instructions
  3. language tag
  4. n_prompts

Before the fix, the code then did:

let n_prompts = map_err!(u32::decode(&mut r))?;
let mut prompts = Vec::with_capacity(n_prompts.try_into().unwrap_or(0));

That means a malicious server could advertise an enormous n_prompts value even if the packet contained no prompt bodies at all.

The fix rejects inconsistent prompt counts before allocating:

let n_prompts = map_err!(u32::decode(&mut r))?;
let max_prompts = r.remaining_len() / 5;
let n_prompts = n_prompts as usize;
if n_prompts > max_prompts {
    return Err(crate::Error::Inconsistent.into());
}
let mut prompts = Vec::with_capacity(n_prompts);

Each prompt needs at least 4 bytes of string length plus 1 byte of echo flag, so remaining_len() / 5 is a safe upper bound. If the declared count exceeds what the packet can actually contain, the packet is malformed and is now rejected instead of being silently truncated.

The tester did not find a same-class server-side bug in the reciprocal USERAUTH_INFO_RESPONSE path. The server already bounds the response count by remaining packet length before allocating.

Affected package and versions:

  • package: russh
  • earliest affected stable: 0.37.0
  • confirmed affected current release: 0.60.2

The tester does not believe this issue affects the other crates in this workspace (russh-config, russh-cryptovec, pageant, or russh-util).

PoC

An in-tree regression test was added:

  • client::tests::oversized_keyboard_interactive_prompt_count_is_rejected

The test builds a client session in WaitingAuthRequest(KeyboardInteractive) state, feeds it a synthetic USERAUTH_INFO_REQUEST packet with:

  • normal name
  • normal instructions
  • empty language tag
  • n_prompts = u32::MAX
  • no prompt bodies

On the fixed code, the client rejects the packet with Error::Inconsistent and does not emit a reply to the caller.

For old-code impact verification, the pre-fix path was also checked separately with a constrained-memory repro. On unfixed upstream/main, the same malformed packet attempted a very large allocation and failed with:

memory allocation of 137438953440 bytes failed

Relevant verification commands:

cargo test -p russh oversized_keyboard_interactive_prompt_count_is_rejected -- --nocapture
cargo test -p russh --lib --no-default-features --features ring oversized_keyboard_interactive_prompt_count_is_rejected -- --nocapture

Impact

Suggested CVSS v3.1:

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • Score: 6.5

Reasoning:

  • AV:N: reached by a malicious SSH server over the network
  • AC:L: the packet format is straightforward
  • PR:N: no prior authentication required
  • UI:R: the victim must initiate a connection and proceed into keyboard-interactive auth
  • C:N, I:N: Confidentiality or integrity impact were not demonstrated
  • A:H: the server can drive a very large allocation attempt in the client auth path, which can abort or exhaust client-side resources depending on allocator and platform behavior
Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.37.0"
            },
            {
              "fixed": "0.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T20:28:56Z",
    "nvd_published_at": "2026-06-10T22:17:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn the `russh` client keyboard-interactive authentication path, a malicious SSH server could send a `USERAUTH_INFO_REQUEST` with an attacker-controlled prompt count, and the client would use that raw count directly in `Vec::with_capacity(...)` before validating that enough prompt data was actually present in the packet.\n\nThis is a client-side denial-of-service / resource-exhaustion issue on the keyboard-interactive auth path.\n\n### Details\nThe vulnerable code path is in:\n\n- `russh/src/client/encrypted.rs`\n\nWhen the client is in `CurrentRequest::KeyboardInteractive` state and receives `SSH_MSG_USERAUTH_INFO_REQUEST`, it parses:\n\n1. `name`\n2. `instructions`\n3. `language tag`\n4. `n_prompts`\n\nBefore the fix, the code then did:\n\n```rust\nlet n_prompts = map_err!(u32::decode(\u0026mut r))?;\nlet mut prompts = Vec::with_capacity(n_prompts.try_into().unwrap_or(0));\n```\n\nThat means a malicious server could advertise an enormous `n_prompts` value even if the packet contained no prompt bodies at all.\n\nThe fix rejects inconsistent prompt counts before allocating:\n\n```rust\nlet n_prompts = map_err!(u32::decode(\u0026mut r))?;\nlet max_prompts = r.remaining_len() / 5;\nlet n_prompts = n_prompts as usize;\nif n_prompts \u003e max_prompts {\n    return Err(crate::Error::Inconsistent.into());\n}\nlet mut prompts = Vec::with_capacity(n_prompts);\n```\n\nEach prompt needs at least 4 bytes of string length plus 1 byte of echo flag, so `remaining_len() / 5` is a safe upper bound. If the declared count exceeds what the packet can actually contain, the packet is malformed and is now rejected instead of being silently truncated.\n\nThe tester did not find a same-class server-side bug in the reciprocal `USERAUTH_INFO_RESPONSE` path. The server already bounds the response count by remaining packet length before allocating.\n\nAffected package and versions:\n\n- package: `russh`\n- earliest affected stable: `0.37.0`\n- confirmed affected current release: `0.60.2`\n\nThe tester does not believe this issue affects the other crates in this workspace (`russh-config`, `russh-cryptovec`, `pageant`, or `russh-util`).\n\n### PoC\nAn in-tree regression test was added:\n\n- `client::tests::oversized_keyboard_interactive_prompt_count_is_rejected`\n\nThe test builds a client session in `WaitingAuthRequest(KeyboardInteractive)` state, feeds it a synthetic `USERAUTH_INFO_REQUEST` packet with:\n\n- normal `name`\n- normal `instructions`\n- empty language tag\n- `n_prompts = u32::MAX`\n- no prompt bodies\n\nOn the fixed code, the client rejects the packet with `Error::Inconsistent` and does not emit a reply to the caller.\n\nFor old-code impact verification, the pre-fix path was also checked separately with a constrained-memory repro. On unfixed `upstream/main`, the same malformed packet attempted a very large allocation and failed with:\n\n```text\nmemory allocation of 137438953440 bytes failed\n```\n\nRelevant verification commands:\n\n```bash\ncargo test -p russh oversized_keyboard_interactive_prompt_count_is_rejected -- --nocapture\ncargo test -p russh --lib --no-default-features --features ring oversized_keyboard_interactive_prompt_count_is_rejected -- --nocapture\n```\n\n### Impact\nSuggested CVSS v3.1:\n\n- `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H`\n- Score: `6.5`\n\nReasoning:\n\n- `AV:N`: reached by a malicious SSH server over the network\n- `AC:L`: the packet format is straightforward\n- `PR:N`: no prior authentication required\n- `UI:R`: the victim must initiate a connection and proceed into keyboard-interactive auth\n- `C:N`, `I:N`:  Confidentiality or integrity impact were not demonstrated\n- `A:H`: the server can drive a very large allocation attempt in the client auth path, which can abort or exhaust client-side resources depending on allocator and platform behavior",
  "id": "GHSA-g9g7-5cgw-6v28",
  "modified": "2026-06-11T20:28:56Z",
  "published": "2026-06-11T20:28:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-g9g7-5cgw-6v28"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48107"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Eugeny/russh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Russh: Unchecked keyboard-interactive prompt count in client auth path"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.