PatchSiren

Eugeny CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Eugeny CVE published 2026-06-10

CVE-2026-48110

CVE-2026-48110 is a vulnerability in the Russh Rust SSH client & server library. The issue affects versions from 0.34.0 up to but not including 0.61.0. In these versions, the library's handling of certain SSH messages could lead to excessive memory allocation or attempts at allocation when processing attacker-controlled strings, name-lists, and byte fields. This could be exploited by a remote SSH peer to [truncated]

MEDIUM Eugeny CVE published 2026-06-10

CVE-2026-48108

The Russh library, a Rust SSH client and server implementation, had a vulnerability from version 0.34.0-beta.1 up to but not including version 0.61.0. This issue relates to how Russh handles the SSH identification string, which is not as strict as OpenSSH. Specifically, the server-side identification reader used a permissive path similar to the client, allowing for pre-banner lines from clients. Moreover, [truncated]

MEDIUM Eugeny CVE published 2026-06-10

CVE-2026-48107

CVE-2026-48107 is a vulnerability in the Russh Rust SSH client & server library. Versions from 0.37.0 up to but not including 0.61.0 are affected. The issue lies in the keyboard-interactive authentication path of the russh client. A malicious SSH server can send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count. The client then uses this raw count directly in Vec::with_capacity(...) without [truncated]

MEDIUM Eugeny CVE published 2026-06-10

CVE-2026-46705

A vulnerability was discovered in the Russh Rust SSH client & server library, affecting versions from 0.34.0-beta.1 to before 0.61.0. The issue arises from the Russh server authentication path keeping internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without properly separating that state when the request principal changes. This internal library state mismatch can lead to unintended behavio [truncated]

HIGH Eugeny CVE published 2026-06-10

CVE-2026-46702

A remote denial-of-service vulnerability exists in the Russh SSH library, affecting versions 0.34.0 to before 0.61.1. The vulnerability allows a remote peer to send oversized post-decompression packets, causing a resource-exhaustion issue in the post-decompression receive path. This issue has been patched in version 0.61.1.

HIGH Eugeny CVE published 2026-06-10

CVE-2026-46673

Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through tra [truncated]

HIGH Eugeny CVE published 2026-05-15

CVE-2026-45038

CVE-2026-45038 is a high-severity Tabby vulnerability in drag-and-drop file handling. Before version 1.0.233, Tabby did not escape control characters in file paths when a file was dragged into the terminal emulator, which could result in code execution. The issue is fixed in Tabby 1.0.233. The CVE was published on 2026-05-15 and updated on 2026-05-20.

HIGH Eugeny CVE published 2026-05-15

CVE-2026-45037

CVE-2026-45037 affects Tabby (formerly Terminus) terminal link handling. Before 1.0.232, Tabby passed detected URIs directly to the operating system’s protocol handler without validating the scheme, so a malicious SSH or Telnet server could embed crafted output that appears as a clickable terminal link and causes an unsafe handler to open on the client.

CRITICAL Eugeny CVE published 2026-05-15

CVE-2026-45035

Tabby (formerly Terminus) terminal emulator versions prior to 1.0.233 register a custom URL scheme handler (tabby://) that accepts a run command parameter. When a user clicks a crafted link containing tabby://run?command=..., the operating system launches Tabby, which immediately executes the specified OS command as a child process with the user's full privileges without confirmation, sanitization, or san [truncated]