Russh, Unchecked CryptoVec Allocation, CVE(not_in_) (High)

Listen to this Post

How the CVE works: The vulnerability stems from unsafe growth handling in CryptoVec, a buffer type used in Russh SSH library. In current Russh versions (up to 0.60.x), local SSH agent peers could supply an attacker-controlled u32 frame length to `AgentClient::read_response()` or Connection::run(). The code resized a buffer to that length before any validation, allowing oversized allocations. In historical Russh releases before 0.58.0, remote SSH traffic could also trigger this via transport packet reads or zlib decompression outputs that expanded CryptoVec buffers without checked capacity or length arithmetic. The unsafe paths included `cryptovec/src/cryptovec.rs` (unchecked growth, raw allocation) and `cryptovec/src/platform/unix.rs` (null-pointer validation missing in mlock/munlock). A constrained-memory test using `prlimit –as=134217728` caused a crash when `NonNull::new_unchecked()` received a null pointer after allocation failure. The fix caps agent frame lengths at 256 KiB (matching OpenSSH) and hardens CryptoVec with checked growth, length arithmetic, allocation-failure handling, and zero-length no-ops for locking.

DailyCVE form:

Platform: Russh library
Version: <0.60.2,<0.58.0
Vulnerability: Unchecked buffer growth
Severity: High
date: 2025 (disclosed)

Prediction: Patch already released (0.60.3)

Analytics under What Undercode Say:

Count oversized agent frame attempts in logs
grep -c "AgentProtocolError" /var/log/russh.log
Monitor memory usage of russh processes
ps aux | grep russh | awk '{print $6}'
Test for vulnerability using cargo
cargo test -p russh oversized_agent_response_is_rejected_before_allocation -- --nocapture
cargo test -p russh oversized_agent_request_is_rejected_before_allocation -- --nocapture
Historical pre-0.58.0 test
cargo test --offline -p russh remote_compressed_payload_can_crash_under_memory_limit -- --nocapture

Exploit:

Local SSH agent peer sends a malicious frame length >256KB to `AgentClient` or `Connection` before validation. For historical versions (<0.58.0), remote attacker sends crafted SSH transport packet or compressed payload that expands to huge size (e.g., 96 MiB), triggering null-pointer dereference in `NonNull::new_unchecked()` under memory constraints, causing process abort.

Protection from this CVE:

Upgrade to Russh >=0.60.3 (or any post-fix commit). If upgrade impossible, apply patch that caps agent frame lengths to 2561024 bytes before buffer resize. For historical deployments, restrict SSH connections to trusted IPs and disable agent forwarding. Add memory limits via `prlimit –as=256M` to mitigate abort impact.

Impact:

Memory-safety hardening issue with untrusted-input reachable locally (agent) and historically remotely. Demonstrated crash (denial of service) under constrained memory, but no code execution or confidentiality break proven.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top