CVE-2026-46673: Russh: Unchecked CryptoVec allocation and growth handling is reachable

May 21, 2026 (updated June 11, 2026)

CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers.

References

github.com/Eugeny/russh/security/advisories/GHSA-g9f8-wqj9-fjw5
github.com/advisories/GHSA-g9f8-wqj9-fjw5
nvd.nist.gov/vuln/detail/CVE-2026-46673
rustsec.org/advisories/RUSTSEC-2026-0153.html
rustsec.org/advisories/RUSTSEC-2026-0154.html

Code Behaviors & Features

Detect and mitigate CVE-2026-46673 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →