CVE-2026-48107 MEDIUM

CVE-2026-48107: Russh: Unchecked keyboard-interactive prompt count in client auth path

Vendor Eugeny
Product russh
Weakness CWE-20 · Input validation
Published June 10, 2026
Last update June 11, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet. This issue has been patched in version 0.61.0.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 11, 2026 Record updated