Technologyglobal✓ verified · 90%

Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds

Name: Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds
Start: 2026-06-11T20:33:21Z
Location: Global (internet)

When: 2026-06-11 20:33 UTC
Where: Global (internet)
Category: cyber_advisory · rust

# SSH message fields were decoded through allocation-first parsers before field-specific bounds ### Summary Several `russh` client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. ### Affected Versions Oldest verified exploitable stable release: `russh 0.34.0`. - Historical stronger case: `russh >= 0.34.0, < 0.58.0`. These releases have the allocation-first KEXINIT field parsing issue and still use `CryptoVec` for inbound packet/decompression buffers. A peer can combine negotiated RFC `zlib`, rekey, compressed KEXINIT expansion, historical `CryptoVec` decompression growth, and KEXINIT name-list fanout. - Current maintained-line case: `russh >= 0.58.0`, including `0.60.2`. These releases moved non-secret packet/decompression buffers off `CryptoVec`, but the allocation-first SSH field parser issue remains reachable as a `Vec`/`String`/name-list resource exhaustion issue. Prerelease coverage was not claimed for the zlib/`CryptoVec`/KEXINIT combo because the combined historical exploit shape was verified against stable `v0.34.0`-era code and reproduced the stress behavior on `v0.57.1`. ### Details The affected parser pattern appeared across the SSH transport and encrypted-message parser code: - KEX negotiation parsing - client encrypted-message parsing - server encrypted-message parsing - shared SSH parsing helpers Examples of allocation-first field parsing covered by the fix include: - KEXINIT name-lists - client `USERAUTH_FAILURE` method lists - client `USERAUTH_BANNER` text fields - client `USERAUTH_PK_OK` fields - client `EXT_INFO` extension fields - server `SERVICE_REQUEST` names - server `USERAUTH_REQUEST` header fields - server password/publickey/keyboard-interactive auth fields, excluding the already-submitted prompt-count issue - server and client channel/global request names - server pty, x11, env, exec, subsystem, signal, and forwarding request fields - channel-open-failure description and language fields Before the fix, these handlers generally used `ssh_encoding::Decode` into `String`, `Bytes`, `Vec`, or `NameList` first, then validated semantics later. For length-prefixed SSH fields, that means the owned decoder can accept an attacker-controlled length prefix and allocate or attempt allocation before discovering that the packet is truncated or above a local field bound. The fix introduces borrowed bounded parsing helpers such as `take_str`, `take_bytes`, and `take_name_list`. ### RFC / OpenSSH Comparison RFC 4251 section 5 defines SSH `string` and `name-list` encodings. RFC 4253 and RFC 4254 then use those encodings throughout KEX, auth, channel, and forwarding messages. The RFC encoding permits large length prefixes, so implementations need local bounds appropriate to their packet and parser model. RFC 4251 also says each name inside a `name-list` is non-empty, cannot contain a comma, and is made of US-ASCII names. RFC 4253 section 7.1 requires the algorithm name-lists in `SSH_MSG_KEXINIT` to contain at least one algorithm name, while language name-lists may be empty. OpenSSH portable commonly parses SSH fields with packet-buffer helpers and then immediately checks message completion: - `openssh-portable`: `kex.c`: `kex_input_kexinit()` / `kex_buf2prop()` - `openssh-portable`: `auth2.c`: `USERAUTH_REQUEST` header parsing - `openssh-portable`: `sshconnect2.c`: client auth reply parsing - `openssh-portable`: `serverloop.c`: global and channel-open parsing - `openssh-portable`: `session.c`: channel request parsing - `openssh-portable`: `packet.c`: `sshpkt_get_cstring()`, `sshpkt_get_string()`, `sshpkt_get_end()` `openssh-portable` was checked at `45b30e0a5`. OpenSSH generally gets its size safety from the already-bounded packet buffer and `sshbuf` helpers; it does not always avoid allocating a copied field. The `russh` patch is stricter in Rust-specific shape by using borrowed bounded helpers where practical, but the protocol alignment is the same: reject oversized or malformed name-lists/strings within a bounded packet parser. ### PoC Inline availability stress PoC: an unauthenticated client sends concurrent `SSH_MSG_KEXINIT` payloads with a large but packet-sized first name-list containing many small algorithm names. This reaches the server-side initial key-exchange parser before user authentication and drives allocation-heavy owned decoding and name-list splitting. In a local direct-parser stress harness, 512 concurrent connection-equivalent parser workers parsing this payload eight times each raised process memory from about 4 MiB RSS to about 4.45 GiB RSS: ```text threads=512 iterations_per_thread=8 total_iterations=4096 payload_bytes=262103 errors=0 elapsed_ms=5880 VmRSS: 4056 KiB -> 4661032 KiB VmHWM: 4056 KiB -> 4674200 KiB ``` That concurrency level is material: the multi-GiB result required 512 simultaneous connection-equivalent parser contexts and about 1.02 GiB of total input across the run. The harness exercises the vulnerable pre-auth KEXINIT parser directly rather than opening real sockets, but the parsed bytes are ordinary SSH KEXINIT payload bytes reachable from a remote unauthenticated SSH peer. Historical pre-`0.58.0` amplification note: before `0.58.0`, inbound packet and decompression buffers still used `CryptoVec`. To get the stronger historical growth, the peer must negotiate RFC `zlib` compression, complete the first key exchange, and then send a compressed rekey `SSH_MSG_KEXINIT` carrying the same high-fanout name-list shape. In a `v0.57.1` harness, a 652-byte compressed rekey KEXINIT inflated to a 600,103-byte KEXINIT payload, grew the historical `CryptoVec` decompression output, and then entered the same allocation-heavy KEXINIT name-list parser: ```text threads=512 iterations_per_thread=2 total_iterations=1024 decompressed_payload_bytes=600103 compressed_payload_bytes=652 errors=0 elapsed_ms=5606 VmRSS: 5268 KiB -> 1464624 KiB VmHWM: 5268 KiB -> 7014560 KiB ``` The constrained-memory result is useful because it shows where this becomes a service-killing failure rather than only elevated RSS. With the same historical code path, a roughly 1 KiB compressed rekey KEXINIT can force `CryptoVec` decompression growth into the parser fanout. Under an address-space limit, the process aborted on allocator failure while trying to satisfy one of the intermediate growth allocations: ```text memory allocation of 262144 bytes failed ``` That historical result combines the field-parser issue in this report with the pre-`0.58.0` `CryptoVec` allocation/growth behavior. The important maintainer takeaway is the amplification shape: very small compressed rekey packets can create much larger historical `CryptoVec` buffers and then immediately feed the unbounded KEXINIT name-list parser. It is included here to explain historical severity and exploit shape; the separate CryptoVec advisory covers the underlying `CryptoVec` allocation/growth bug itself. ```rust #[test] fn stress_kexinit_many_names_many_connections() { use std::borrow::Cow; use std::sync::Arc; use byteorder::{BigEndian, ByteOrder}; use ssh_key::Algorithm; use crate::negotiation::{Preferred, Select, Server}; use crate::{cipher, compression, kex, mac, msg}; fn no_crypto_preferred() -> Preferred { Preferred { kex: Cow::Owned(vec![kex::NONE]), key: Cow::Owned(vec![Algorithm::Ed25519]), cipher: Cow::Owned(vec![cipher::NONE]), mac: Cow::Owned(vec![mac::NONE]), compression: Cow::Owned(vec![compression::NONE]), } } fn encode_string(buf: &mut Vec<u8>, value: &[u8]) { let mut len = [0; 4]; BigEndian::wr

Sources

GitHub Advisory Database ↗ · first seen 2026-06-11 20:33 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map