GHSA-vc8p-8pxg-rfwg: ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing

June 12, 2026

The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays.

A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught OutOfMemoryError, potentially terminating the application process.

References

github.com/advisories/GHSA-vc8p-8pxg-rfwg
github.com/connectbot/cbssh/releases/tag/v0.3.1
github.com/connectbot/cbssh/security/advisories/GHSA-vc8p-8pxg-rfwg

Code Behaviors & Features

Detect and mitigate GHSA-vc8p-8pxg-rfwg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →