CVE-2026-46673

Source
https://cve.org/CVERecord?id=CVE-2026-46673
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46673.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46673
Aliases
Downstream
Related
Published
2026-06-10T20:16:28.001Z
Modified
2026-07-08T08:13:36.363785280Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releases
Details

Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46673.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/eugeny/russh

Affected ranges

Type
GIT
Repo
https://github.com/eugeny/russh
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.60.3"
        },
        {
            "fixed": "0.58.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

0.*
0.37.0-beta.1
v0.*
v0.34.0
v0.35.0-beta.1
v0.35.0-beta.2
v0.35.0-beta.3
v0.35.0-beta.5
v0.35.0-beta.6
v0.35.0-beta.7
v0.35.0-beta.8
v0.35.0-beta.9
v0.36.1
v0.37.0
v0.37.0-beta.1
v0.37.1
v0.38.0
v0.38.0-beta.1
v0.39.0-beta.1
v0.40.0
v0.40.1
v0.40.2
v0.42.0
v0.43.0
v0.43.0-beta.1
v0.44.0
v0.44.0-beta.1
v0.44.0-beta.3
v0.44.0-beta.4
v0.45.0
v0.46.0
v0.47.0-beta.3
v0.47.0-beta.4
v0.48.0
v0.48.1
v0.48.2
v0.49.0
v0.50.0
v0.50.0-beta.10
v0.50.0-beta.11
v0.50.0-beta.12
v0.50.0-beta.2
v0.50.0-beta.3
v0.50.0-beta.4
v0.50.0-beta.5
v0.50.0-beta.6
v0.50.0-beta.7
v0.50.0-beta.8
v0.50.0-beta.9
v0.50.1
v0.50.3
v0.50.4
v0.51.0
v0.51.0-beta.1
v0.51.0-beta.2
v0.51.0-beta.3
v0.51.1
v0.52.0
v0.52.0-beta.1
v0.52.1
v0.53.0
v0.53.0-beta.1
v0.54.0
v0.54.1
v0.54.2
v0.54.3
v0.54.4
v0.54.5
v0.54.6
v0.55.0
v0.56.0
v0.57.0
v0.57.1
v0.58.0
v0.59.0
v0.60.0
v0.60.1
v0.60.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46673.json"