{"id":"RUSTSEC-2026-0153","summary":"Unchecked `CryptoVec` allocation and growth handling","details":"`CryptoVec` used unchecked capacity growth, unchecked length arithmetic, and\nunsafe allocation and locking paths. In affected `russh` releases,\nattacker-controlled input could reach these code paths through buffer resizing\noperations.\n\nTwo affected reachability paths were identified:\n\n* **Current `russh` releases (`0.60.x` before the fix)**\n  Local SSH agent peers could provide attacker-controlled frame lengths that\n  were used to resize internal buffers before validation in:\n\n  * `AgentClient::read_response`\n  * `agent::server::Connection::run`\n\n* **Historical `russh` releases before `0.58.0`**\n  `CryptoVec` was also used for non-secret transport and compression buffers,\n  allowing remote SSH traffic to trigger `CryptoVec` growth through:\n\n  * transport packet reads\n  * zlib decompression output\n\nThese remote paths were removed in `0.58.0` when `CryptoVec` stopped being used\nfor those buffers.\n\nUnder constrained memory conditions, historical `russh` versions prior to\n`0.58.0` can abort the process when remote compressed payload expansion causes\nallocation failure in `CryptoVec`. This was reproduced through the compression\npath and resulted in process termination in the Unix allocation/locking\nimplementation after null pointer allocation failure.\n\nFor current affected releases, oversized local SSH agent frame lengths could\ntrigger untrusted-input-driven buffer growth prior to validation.\n\nNo practical remote code execution, integrity or confidentiality impact has\nbeen demonstrated.\n\nFixed by validating CryptoVec growth operations and rejecting oversized SSH\nagent frame lengths before buffer allocation.","aliases":["CVE-2026-46673","GHSA-g9f8-wqj9-fjw5","RUSTSEC-2026-0154"],"modified":"2026-06-02T10:11:07.572512472Z","published":"2026-05-15T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/russh-cryptovec"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0153.html"},{"type":"ADVISORY","url":"https://github.com/Eugeny/russh/security/advisories/GHSA-g9f8-wqj9-fjw5"},{"type":"WEB","url":"https://github.com/Eugeny/russh/commit/a2d48a71fe93d18cbd666c8d53d0882f5ce110c4"}],"affected":[{"package":{"name":"russh-cryptovec","ecosystem":"crates.io","purl":"pkg:cargo/russh-cryptovec"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.60.3"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","categories":["denial-of-service"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0153.json","informational":null}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}