PatchSiren cyber security CVE debrief
CVE-2026-46673 Eugeny CVE debrief
Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3.
- Vendor
- Eugeny
- Product
- russh
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Russh library versions prior to 0.60.3
Technical summary
The vulnerability is caused by unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths in CryptoVec. This issue affects current and older russh releases.
Defensive priority
HIGH
Recommended defensive actions
- Update to version 0.60.3 or later
Evidence notes
CVE-2026-46673 has been patched in version 0.60.3.
Official resources
-
CVE-2026-46673 CVE record
CVE.org
-
CVE-2026-46673 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46673 was published on [cvePublishedAt].