CVE-2026-42189: Russh SSH Library DoS Vulnerability
The National Vulnerability Database has detailed CVE-2026-42189, a pre-authentication denial-of-service vulnerability affecting Russh, a Rust-based SSH client and server library. This critical flaw, present in versions prior to 0.60.1, resides within the server’s keyboard-interactive authentication handler.
A malicious actor can exploit this vulnerability without any credentials. By sending a single malformed packet, an attacker can crash any Russh-based server configured to use keyboard-interactive authentication, a common setup for multi-factor authentication (MFA) or TOTP. The National Vulnerability Database assigns this issue a CVSS score of 7.5 (HIGH), highlighting its significant impact on availability.
This isn’t just a theoretical bug. A crash like this means immediate service disruption, potentially taking critical systems offline. For defenders, it’s a stark reminder that even pre-authentication components can be attack surfaces for impactful DoS. The fix is straightforward: update to Russh version 0.60.1 or later.
What This Means For You
- If your organization utilizes Russh in any SSH server implementation, particularly those leveraging keyboard-interactive authentication for MFA or other purposes, you are directly exposed to a denial-of-service attack. Prioritize patching to version 0.60.1 immediately to prevent unauthenticated server crashes.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-42189
title: Web Application Exploitation Attempt — CVE-2026-42189
id: scw-2026-05-08-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-42189 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42189/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-42189
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42189 | DoS | Russh library versions prior to 0.60.1 |
| CVE-2026-42189 | DoS | Russh server's keyboard-interactive authentication handler |
| CVE-2026-42189 | DoS | Pre-authentication denial-of-service |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...