How is CVE-2026-46673 exploited?

Network reachability (required): The attacker must reach the service over the network; SSH traffic from remote peers drives the vulnerable CryptoVec allocation paths. Authentication (not-required): No credentials are needed; unauthenticated SSH connection attempts are sufficient to reach the vulnerable code. Victim interaction (not-required): No user action is required; the attacker triggers the vulnerability by sending crafted SSH frames without any victim participation. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or specific memory layout are required to reach the unchecked allocation path.

What is the impact of CVE-2026-46673?

Crashes the russh process by exhausting addressable memory or triggering an arithmetic overflow in buffer length handling. Disrupts any application that depends on the russh library for SSH client or server functionality, taking it offline until restarted. In environments running pre-0.58.0 releases, the same crash path is reachable from fully unauthenticated remote SSH traffic, widening exposure to any internet-accessible SSH service.

Back to search

HIGHCVE-2026-46673Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-46673: Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releases

Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unchecked memory allocation and buffer growth vulnerability exists in the Russh Rust SSH client and server library. The flaw is reachable over the network with no authentication required, as unauthenticated remote SSH traffic can drive attacker-controlled frame lengths into CryptoVec capacity growth routines. Successful exploitation allows an attacker to crash the affected service, causing a complete denial of availability. A patched-image rebuild at version 0.60.3 is available on HarborGuard for environments running an affected version of russh.

HarborGuard Coverage

Detection

Detection of CVE-2026-46673 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that vendor russh as a dependency. Any image whose dependency graph resolves to a russh release below 0.60.3 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild targeting russh 0.60.3 becomes available on HarborGuard once the upstream fix version is confirmed in the advisory feed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the service over the network; SSH traffic from remote peers drives the vulnerable CryptoVec allocation paths.
AuthenticationNot required
No credentials are needed; unauthenticated SSH connection attempts are sufficient to reach the vulnerable code.
Victim interactionNot required
No user action is required; the attacker triggers the vulnerability by sending crafted SSH frames without any victim participation.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or specific memory layout are required to reach the unchecked allocation path.

Blast Radius

Crashes the russh process by exhausting addressable memory or triggering an arithmetic overflow in buffer length handling.
Disrupts any application that depends on the russh library for SSH client or server functionality, taking it offline until restarted.
In environments running pre-0.58.0 releases, the same crash path is reachable from fully unauthenticated remote SSH traffic, widening exposure to any internet-accessible SSH service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46673 is active across all scanning pipelines, matching images that carry russh below version 0.60.3. Because the fix version 0.60.3 is now published upstream, a patched-image rebuild is available on HarborGuard for any affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild pinned to russh 0.60.3, executes a regression run, and opens a PR against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the CVE appears in the triage queue with CVSS 7.5 HIGH scoring and fix-version guidance so engineers can act manually. Given the network-accessible, no-auth exploit path, prioritizing this update for any image that exposes an SSH service externally is strongly warranted.

See how HarborGuard automates this

Affected packages

Eugeny / russh
< 0.60.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/Eugeny/russh/security/advisories/GHSA-g9f8-wqj9-fjw5

Metrics

Get notified