PatchSiren cyber security CVE debrief

CVE-2026-48107 Eugeny CVE debrief

CVE-2026-48107 is a vulnerability in the Russh Rust SSH client & server library. Versions from 0.37.0 up to but not including 0.61.0 are affected. The issue lies in the keyboard-interactive authentication path of the russh client. A malicious SSH server can send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count. The client then uses this raw count directly in Vec::with_capacity(...) without validating if enough prompt data is present in the packet. This can lead to potential security issues. The vulnerability has been patched in version 0.61.0.

Vendor: Eugeny
Product: russh
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-11
Advisory published: 2026-06-10
Advisory updated: 2026-06-11

Who should care

Users of Russh library versions between 0.37.0 and 0.60.0 should be aware of this vulnerability. Specifically, developers and administrators using Russh for SSH client or server implementations need to assess the risk and apply the patch by updating to version 0.61.0 or later.

Technical summary

The Russh library, used for SSH client and server functionality in Rust, had a vulnerability in its keyboard-interactive authentication mechanism. A malicious server could manipulate the prompt count in a USERAUTH_INFO_REQUEST, leading to potential issues due to improper validation of prompt data.

Defensive priority

MEDIUM

Recommended defensive actions

Update Russh library to version 0.61.0 or later to patch the vulnerability.
Review and validate the authenticity of USERAUTH_INFO_REQUEST packets to prevent similar issues in the future.

Evidence notes

The vulnerability was patched in version 0.61.0 of the Russh library. More details can be found in the official CVE record [cve-org] and the NVD detail page [nvd].

Official resources

CVE-2026-48107 was published on 2026-06-10T22:17:00.983Z and modified on 2026-06-11T15:24:44.007Z.