CVE-2026-42189
high
CVSS v3
7.5
CVSS v2
—
VIR risk
7.5
Description
russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security-advisories@github.com — https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg
Vendor advisory: security-advisories@github.com — https://github.com/Eugeny/russh/releases/tag/v0.60.1
Vendor advisory: security-advisories@github.com — https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1
References
- https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1
- https://github.com/Eugeny/russh/releases/tag/v0.60.1
- https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg
- https://nvd.nist.gov/vuln/detail/CVE-2026-42189
- https://github.com/Eugeny/russh
- https://github.com/advisories/GHSA-f5v4-2wr6-hqmg
CWEs
CWE-770 CWE-789
Verify integrity in audit chain (admin only). AS-IS.