Skip to main content

Russh CVE-2026-48108

| EUVD-2026-36130 MEDIUM
Improper Input Validation (CWE-20)
2026-06-10 GitHub_M GHSA-76r6-x97p-67vr
SSH Information Disclosure
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable pre-auth SSH phase requires no credentials (PR:N) and no user interaction; impact is limited to partial availability with no confidentiality or integrity exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 22:01 EUVD
Analysis Generated
Jun 10, 2026 - 21:21 vuln.today

DescriptionCVE.org

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.

AnalysisAI

Resource exhaustion in Russh's SSH server identification-string reader allows unauthenticated remote attackers to hold connection setup resources indefinitely during the cleartext pre-authentication phase. Russh versions 0.34.0-beta.1 through 0.60.x used the same permissive identification reader for both client and server roles, failing to cap the number of pre-banner lines a connecting client could send before the SSH identification string - a constraint OpenSSH enforces strictly per RFC 4253. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to russh SSH server port
Delivery
Stream unbounded pre-banner lines without identification string
Exploit
Server holds connection resources open per session
Execution
Repeat across many parallel connections
Persist
Exhaust server connection pool or memory
Impact
Deny service to legitimate SSH clients
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No authentication is required - exploitation occurs entirely in the pre-authentication, cleartext SSH handshake phase before any credentials are exchanged (PR:N, AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, score 5.3 Medium) accurately reflects the threat profile: network-reachable, zero preconditions, no authentication, but limited to partial availability impact (A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to a russh-based SSH server and, instead of sending a well-formed SSH identification string, streams an unbounded sequence of pre-banner lines without ever completing the handshake. The server allocates and holds connection resources for each such session in the cleartext pre-authentication phase. …
Remediation The vendor-released patch is Russh version 0.61.0, which enforces bounded pre-banner line handling on the server-side identification reader, aligning behavior with OpenSSH and RFC 4253. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48108 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy