CVE-2026-46673

Name of the Vulnerable Software and Affected Versions russh versions prior to 0.58.0 russh versions 0.60.x

Description An issue exists in the CryptoVec component involving unchecked capacity growth, unchecked length arithmetic, and unsafe allocation and locking paths. In versions prior to 0.58.0, remote SSH traffic could trigger this through transport packet reads and zlib decompression output. In 0.60.x releases, local SSH agent peers could provide attacker-controlled frame lengths to trigger buffer growth before validation. Specifically, the AgentClient::read response() and Connection::run() functions read a peer-supplied u32 length and resized the buffer to that value without prior validation. On Unix systems, the mlock and munlock functions previously accepted zero-length calls and performed null-pointer validation inside unsafe OS-call paths, which could lead to a process abort under constrained memory conditions when NonNull::new unchecked() receives a null pointer after an allocation failure.

Recommendations For versions prior to 0.58.0, update to a version where non-secret transport and compression buffers no longer use CryptoVec. For versions 0.60.x, update to a version that caps agent frame lengths at 256 * 1024 and implements checked capacity growth and length arithmetic in CryptoVec. As a temporary mitigation, restrict access to local SSH agent peers to minimize the risk of exploitation via oversized frame lengths.