HIGH7.5CVE-2026-48110Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds >= 0.34.0, < 0.61.0
HIGH7.5CVE-2026-46702russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets >= 0.34.0, < 0.61.1
>= 0.0.0-0, < 0.60.3
HIGH7.5Unbounded 32-bit allocation
from 0, < 0.60.3
HIGH7.5russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler
from 0, < 0.60.1
HIGH7.5Russh has an OOM Denial of Service due to allocation of untrusted amount
from 0, < 0.44.1
MEDIUM6.5Russh: Unchecked keyboard-interactive prompt count in client auth path
>= 0.37.0, < 0.61.0
MEDIUM6.5russh is missing overflow checks during channel windows adjust
from 0, < 0.54.1
MEDIUM5.9erlang - security update
from 0, < 0.40.2
MEDIUM5.9russh may use insecure Diffie-Hellman keys
from 0, < 0.36.2
MEDIUM5.3Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
>= 0.34.0-beta.1, < 0.61.0
MEDIUM5.3russh server userauth state is not reset when authentication principal changes
>= 0.34.0-beta.1, < 0.61.0