CVE-2026-42189

Name of the Vulnerable Software and Affected Versions Russh versions prior to 0.60.1

Description A pre-authentication denial-of-service issue exists in the server's keyboard-interactive authentication handler. A malicious client can crash any server based on this library that implements keyboard-interactive authentication (such as for 2FA/TOTP) by sending a single malformed packet without requiring credentials. The problem occurs in the read userauth info response() function within russh/src/server/encrypted.rs, where the server decodes a u32 count from the client's SSH MSG USERAUTH INFO RESPONSE and passes it directly to Vec::with capacity(). An attacker can provide a very large value for this count, forcing the server to attempt a massive memory allocation (e.g., 6.4GB), which leads to an Out-of-Memory (OOM) crash.

Recommendations Update to version 0.60.1. As a temporary workaround, restrict the use of the Handler::auth keyboard interactive implementation if it returns Auth::Partial until the update is applied.