CVE-2026-42189: CWE-770: Allocation of Resources Without Limits or Throttling in Eugeny russh
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-42189 affects the russh Rust SSH library versions prior to 0.60.1. It involves allocation of resources without limits or throttling (CWE-770) in the server's keyboard-interactive authentication handler. An attacker can exploit this by sending a malformed packet before authentication, causing a denial-of-service crash on the server. The issue has been addressed in version 0.60.1 of russh.
Potential Impact
Successful exploitation results in a denial-of-service condition, crashing russh-based SSH servers that use keyboard-interactive authentication. This impacts availability but does not affect confidentiality or integrity. No credentials or prior authentication are required to trigger the crash.
Mitigation Recommendations
This vulnerability is patched in russh version 0.60.1. Users and administrators should upgrade to version 0.60.1 or later to remediate this issue. Since no vendor advisory content is provided, patch status is confirmed by the description stating the fix is in version 0.60.1. No additional mitigations are indicated.
CVE-2026-42189: CWE-770: Allocation of Resources Without Limits or Throttling in Eugeny russh
Description
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-42189 affects the russh Rust SSH library versions prior to 0.60.1. It involves allocation of resources without limits or throttling (CWE-770) in the server's keyboard-interactive authentication handler. An attacker can exploit this by sending a malformed packet before authentication, causing a denial-of-service crash on the server. The issue has been addressed in version 0.60.1 of russh.
Potential Impact
Successful exploitation results in a denial-of-service condition, crashing russh-based SSH servers that use keyboard-interactive authentication. This impacts availability but does not affect confidentiality or integrity. No credentials or prior authentication are required to trigger the crash.
Mitigation Recommendations
This vulnerability is patched in russh version 0.60.1. Users and administrators should upgrade to version 0.60.1 or later to remediate this issue. Since no vendor advisory content is provided, patch status is confirmed by the description stating the fix is in version 0.60.1. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.583Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe4242cbff5d8610241d75
Added to database: 5/8/2026, 8:06:26 PM
Last enriched: 5/8/2026, 8:21:30 PM
Last updated: 5/9/2026, 1:59:22 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.