Home > Vulnerability Database > CVE-2024-43410

Mend.io Vulnerability Database

CVE-2024-43410

Date: August 21, 2024

Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1.

Language: RUST

Severity Score

7.5

Related Resources (5)

Url: https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55

Url: https://github.com/Eugeny/russh

Url: https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-43410

Url: https://www.mend.io/vulnerability-database/CVE-2024-43410

Severity Score

7.5

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-43410

Date: August 21, 2024

Language: RUST

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?