russh

CVE-2026-48107

CVE-2026-48107 is a medium-severity improper input validation vulnerability in russh (rust), affecting versions >= 0.37.0, < 0.61.0. It is fixed in 0.61.0.

Key facts
CVSS score
6.5
Medium
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
russh
Fixed in
0.61.0
Disclosed
2026

Summary

Summary In the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTHINFOREQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::withcapacity(...) before validating that enough prompt data was actually present in the packet. This is a client-side denial-of-service / resource-exhaustion issue on the keyboard-interactive auth path. Details The vulnerable code path is in: russh/src/client/encrypted.rs When the client is in CurrentRequest::KeyboardInteractive state and receives SSHMSGUSERAUTHINFOREQUEST, it parses: name instructions language tag nprompts Before the fix, the code then did: That means a malicious server could advertise an enormous nprompts value even if the packet contained no prompt bodies at all. The fix rejects inconsistent prompt counts before allocating: Each prompt needs at least 4 bytes of string length plus 1 byte of echo flag, so remaininglen() / 5 is a safe upper bound. If the declared count exceeds what the packet can actually contain, the packet is malformed and is now rejected instead of being silently truncated. The tester did not find a same-class server-side bug in the reciprocal USERAUTHINFORESPONSE path. The server already bounds the response count by remaining packet length before allocating. Affected package and versions: package: russh earliest affected stable: 0.37.0 confirmed affected current release: 0.60.2 The tester does not believe this issue affects the other crates in this workspace (russh-config, russh-cryptovec, pageant, or russh-util). PoC An in-tree regression test was added: client::tests::oversizedkeyboardinteractivepromptcountisrejected The test builds a client session in WaitingAuthRequest(KeyboardInteractive) state, feeds it a synthetic USERAUTHINFOREQUEST packet with: normal name normal instructions empty language tag n_prompts = u32::MAX no prompt bodies On the fixed code, the client rejects the packet with Error::Inconsistent and does not emit a reply to the caller. For old-code impact verification, the pre-fix path was also checked separately with a constrained-memory repro. On unfixed upstream/main, the same malformed packet attempted a very large allocation and failed with: Relevant verification commands: Impact Suggested CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Score: 6.5 Reasoning: AV:N: reached by a malicious SSH server over the network AC:L: the packet format is straightforward PR:N: no prior authentication required UI:R: the victim must initiate a connection and proceed into keyboard-interactive auth C:N, I:N: Confidentiality or integrity impact were not demonstrated A:H: the server can drive a very large allocation attempt in the client auth path, which can abort or exhaust client-side resources depending on allocator and platform behavior

Impact

What is improper input validation?

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

Severity and exposure

CVE-2026-48107 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (0.61.0). Upgrading removes the vulnerable code path.

Affected versions

rust

  • russh (>= 0.37.0, < 0.61.0)

Security releases

  • russh → 0.61.0 (rust)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2026-48107 is reachable in your applications. Explore open-source security for your team.

See if CVE-2026-48107 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-48107 in your environment

Remediation advice

Upgrade russh to 0.61.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-48107

What is CVE-2026-48107?

CVE-2026-48107 is a medium-severity improper input validation vulnerability in russh (rust), affecting versions >= 0.37.0, < 0.61.0. It is fixed in 0.61.0. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.

How severe is CVE-2026-48107?

CVE-2026-48107 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which versions of russh are affected by CVE-2026-48107?

russh (rust) versions >= 0.37.0, < 0.61.0 is affected.

Is there a fix for CVE-2026-48107?

Yes. CVE-2026-48107 is fixed in 0.61.0. Upgrade to this version or later.

Is CVE-2026-48107 exploitable, and should I be worried?

Whether CVE-2026-48107 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-48107 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-48107?

Upgrade russh to 0.61.0 or later.

Stop the waste.
Protect your environment with Kodem.