Pre-authentication Denial-of-Service Vulnerability in Russh SSH Client & Server
CVE-2026-42189

7.5HIGH

Key Information:

Vendor

Eugeny

Status
Russh
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42189?

The Russh SSH client and server library is susceptible to a vulnerability that allows attackers to perform a pre-authentication denial-of-service attack. Specifically, prior to version 0.60.1, the server's keyboard-interactive authentication handler can be exploited by a malicious client sending a single malformed packet without needing any credentials. This vulnerability can cause a russh-based server implementing keyboard-interactive authentication, such as for two-factor authentication (2FA) or time-based one-time passwords (TOTP), to crash. The issue has been addressed in the release of version 0.60.1.

Affected Version(s)

russh < 0.60.1

References

https://github.com/Eugeny/russh/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6...
x_refsource_MISC
https://github.com/Eugeny/russh/releases/tag/v0.60.1
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.