Coreyleavitt

**Name of the Vulnerable Software and Affected Versions** Russh versions prior to 0.60.1 **Description** A pre-authentication denial-of-service issue exists in the server's keyboard-interactive authentication handler. A malicious client can crash any server based on this library that implements keyboard-interactive authentication (such as for 2FA/TOTP) by sending a single malformed packet without requiring credentials. The problem occurs in the `read userauth info response()` function within `russh/src/server/encrypted.rs`, where the server decodes a `u32` count from the client's `SSH MSG USERAUTH INFO RESPONSE` and passes it directly to `Vec::with capacity()`. An attacker can provide a very large value for this count, forcing the server to attempt a massive memory allocation (e.g., 6.4GB), which leads to an Out-of-Memory (OOM) crash. **Recommendations** Update to version 0.60.1. As a temporary workaround, restrict the use of the `Handler::auth keyboard interactive` implementation if it returns `Auth::Partial` until the update is applied.