CVE-2026-48107: Russh: Unchecked keyboard-interactive prompt count in client auth path

June 11, 2026

In the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet.

This is a client-side denial-of-service / resource-exhaustion issue on the keyboard-interactive auth path.

References

github.com/Eugeny/russh/security/advisories/GHSA-g9g7-5cgw-6v28
github.com/advisories/GHSA-g9g7-5cgw-6v28
nvd.nist.gov/vuln/detail/CVE-2026-48107

Code Behaviors & Features

Detect and mitigate CVE-2026-48107 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →