CVE-2026-46705— russh server userauth state is not reset when authentication principal changes
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46705
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
russh server userauth state is not reset when authentication principal changes
Source: NVD (National Vulnerability Database)
Vulnerability Description
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Russh 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Russh是Eugene个人开发者的一个 Rust SSH 客户端和服务器端库。 Russh 0.34.0-beta.1版本至0.61.0之前版本存在授权问题漏洞,该漏洞源于服务器认证路径在请求主体变化时未分离内部认证状态,可能导致状态不匹配。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46705
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46705
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-46705 (1)
Same Patch Batch · Eugeny · 2026-06-10 · 6 CVEs total
| CVE-2026-48110 | 7.5 HIGH | Russh: SSH message fields were decoded through allocation-first parsers before field-speci |
| CVE-2026-46702 | 7.5 HIGH | Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compr |
| CVE-2026-46673 | 7.5 HIGH | Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent in |
| CVE-2026-48107 | 6.5 MEDIUM | Russh: Unchecked keyboard-interactive prompt count in client auth path |
| CVE-2026-48108 | 5.3 MEDIUM | Russh: SSH identification parsing accepted non-canonical client banners and did not bound |
IV. Related Vulnerabilities
Same product: russh
- CVE-2026-48110
Russh: SSH message fields were decoded through allocation-fi - CVE-2026-48108
Russh: SSH identification parsing accepted non-canonical cli - CVE-2026-48107
Russh: Unchecked keyboard-interactive prompt count in client - CVE-2026-46702
Russh: Post-decompression SSH packet size was not bounded, a - CVE-2026-46673
Russh: Unchecked CryptoVec allocation and growth handling is
Same vendor: Eugeny
- CVE-2026-48110
Russh: SSH message fields were decoded through allocation-fi - CVE-2026-48108
Russh: SSH identification parsing accepted non-canonical cli - CVE-2026-48107
Russh: Unchecked keyboard-interactive prompt count in client - CVE-2026-46702
Russh: Post-decompression SSH packet size was not bounded, a - CVE-2026-46673
Russh: Unchecked CryptoVec allocation and growth handling is
Same weakness: CWE-287
V. Comments for CVE-2026-46705
No comments yet