{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/russh-cryptovec--0.60.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["russh (\u003c= 0.60.2)","russh-cryptovec (\u003c= 0.60.2)"],"_cs_severities":["high"],"_cs_tags":["memory-allocation","denial-of-service","ssh","CVE-2026-46673"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRussh versions up to 0.60.2 contain a vulnerability related to unchecked memory allocation within the \u003ccode\u003eCryptoVec\u003c/code\u003e component. This flaw stems from insufficient validation of peer-supplied lengths when resizing buffers, leading to potential unchecked capacity growth, length arithmetic, and unsafe allocation/locking paths. In current releases, local SSH agent peers can trigger this through crafted frame lengths. In older releases before version 0.58.0, remote SSH traffic could also exploit this via transport and compression buffers. Successful exploitation can lead to a process abort, especially under constrained memory conditions, impacting the availability of the SSH service. The vulnerability is identified as CVE-2026-46673.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker connects to an SSH server running a vulnerable version of Russh (\u0026lt;= 0.60.2).\u003c/li\u003e\n\u003cli\u003eIf the Russh version is before 0.58.0, the attacker sends a crafted SSH packet with a large, compressed payload.\u003c/li\u003e\n\u003cli\u003eThe server attempts to decompress the payload, leading to the allocation of a \u003ccode\u003eCryptoVec\u003c/code\u003e buffer for the decompressed data.\u003c/li\u003e\n\u003cli\u003eDue to the unchecked growth, the \u003ccode\u003eCryptoVec\u003c/code\u003e attempts to allocate an excessively large buffer, potentially exceeding available memory.\u003c/li\u003e\n\u003cli\u003eUnder constrained memory conditions, the allocation fails, resulting in a null pointer being passed to \u003ccode\u003eNonNull::new_unchecked()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis triggers a panic and aborts the process.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the attacker has local access to an SSH agent client or server, they can send oversized agent frame lengths.\u003c/li\u003e\n\u003cli\u003eThe agent client or server attempts to resize its internal buffer based on the attacker-controlled length, triggering the same unchecked allocation issues described above, leading to a process abort.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to a denial-of-service condition. While the provided information doesn\u0026rsquo;t demonstrate practical code execution or data breaches, the vulnerability allows an attacker to trigger a process abort, especially under constrained memory. This can disrupt SSH services and potentially impact systems relying on SSH for management or communication. This affects \u003ccode\u003erussh-cryptovec\u003c/code\u003e and \u003ccode\u003erussh\u003c/code\u003e packages with versions up to 0.60.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Russh version 0.60.3 or later to patch CVE-2026-46673.\u003c/li\u003e\n\u003cli\u003eMonitor process crashes related to \u003ccode\u003erussh\u003c/code\u003e or \u003ccode\u003erussh-cryptovec\u003c/code\u003e, especially in constrained memory environments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Russh CryptoVec Memory Allocation Failure\u0026rdquo; to identify potential exploitation attempts based on error messages in logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing resource limits for SSH processes to mitigate the impact of potential memory exhaustion attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:50:19Z","date_published":"2026-05-21T20:50:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-russh-cryptovec-vuln/","summary":"Russh versions up to 0.60.2 are vulnerable to a memory-safety hardening issue due to unchecked `CryptoVec` allocation and growth handling, reachable from local agent inputs and remote SSH traffic, potentially triggering a process abort under constrained memory conditions.","title":"Russh CryptoVec Unchecked Allocation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-russh-cryptovec-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Russh-Cryptovec (\u003c= 0.60.2)","version":"https://jsonfeed.org/version/1.1"}