7.5
CVE-2026-42189
- EPSS 0.19%
- Veröffentlicht 08.05.2026 19:49:51
- Zuletzt bearbeitet 14.05.2026 18:07:22
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginRussh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Russh Project ≫ Russh SwPlatformrust Version < 0.60.1
Warpgate Project ≫ Warpgate Version < 0.23.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.402 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
CWE-789 Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.