GHSA-CH3Q-CW5R-F4HG: Unbounded SSH field lengths cause excessive memory allocation in ConnectBot SSH Client Library
Vulnerability ID: GHSA-CH3Q-CW5R-F4HG
CVSS Score: 7.5
Published: 2026-06-12
A denial of service vulnerability in the ConnectBot SSH Client Library (cbssh) up to version 0.3.0 allows remote attackers to cause uncontrolled resource consumption. The library uses Kaitai Struct to parse incoming binary streams, but failed to validate the declared length of SSH fields against the physical stream size, leading to excessive memory allocation and OutOfMemoryError crashes.
TL;DR
Unvalidated packet length fields in cbssh allow a malicious SSH server to crash the client application via OutOfMemoryError by sending an inflated size header.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network (Remote)
- CVSS Severity: Medium-High (7.5)
- Impact: Denial of Service (DoS) via OutOfMemoryError
- Exploit Status: Proof-of-Concept
- Affected Versions: <= v0.3.0
- Patched Version: v0.3.1
Affected Systems
- ConnectBot SSH Client Library (cbssh)
Mitigation Strategies
- Upgrade the cbssh library dependency to version v0.3.1 or newer.
- Incorporate stream boundary validations in Kaitai Struct parser declarations.
Remediation Steps:
- Open the project's dependency configurations (e.g., build.gradle or libs.versions.toml).
- Locate the ConnectBot cbssh dependency entry.
- Update the version number to 0.3.1.
- Sync the build system and recompile the application to bundle the patched parser compiled files.
References
- GitHub Security Advisory GHSA-CH3Q-CW5R-F4HG
- ConnectBot SSH Client Library GitHub Repository
- cbssh v0.3.1 Release Page
- cbssh v0.3.0 to v0.3.1 Comparison
Read the full report for GHSA-CH3Q-CW5R-F4HG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)