Skip to main content

Russh EUVDEUVD-2026-36131

| CVE-2026-48110 HIGH
Improper Input Validation (CWE-20)
2026-06-10 GitHub_M GHSA-4r3c-5hpg-58qr
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Pre-auth SSH decode flaw reachable over the network with no user interaction; impact is availability-only via over-allocation, with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 22:01 EUVD
Analysis Generated
Jun 10, 2026 - 21:17 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 cargo packages depend on russh (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.34.0.

DescriptionCVE.org

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.

AnalysisAI

Denial of service in Russh (Rust SSH client/server library) versions 0.34.0 through 0.60.x allows remote SSH peers to trigger excessive memory allocation by sending oversized, high-fanout, or malformed length-prefixed SSH strings, name-lists, and byte fields before field-specific bounds checks are applied. The flaw affects both client and server message handlers and impacts availability only (CVSS 7.5, C:N/I:N/A:H). No public exploit identified at time of analysis.

Technical ContextAI

Russh is a pure-Rust implementation of the SSH2 protocol used as both a client and server library, typically embedded in applications that need programmatic SSH (e.g., bastions, automation, custom servers). The root cause is CWE-20 (Improper Input Validation): the SSH wire format uses length-prefixed strings, name-lists, and byte arrays (RFC 4251 §5), and Russh's decoders allocated owned buffers sized from those attacker-controlled length fields - or eagerly split/iterated over high-fanout name-lists - before enforcing the per-field maximums that the protocol logic later expected. This lets a peer drive the process toward over-allocation during the early decode stage rather than being rejected at the framing layer.

RemediationAI

Vendor-released patch: russh 0.61.0 - upgrade the russh dependency in Cargo.toml to >=0.61.0 and rebuild/redeploy all consuming binaries (cargo update -p russh), then verify the lockfile no longer references a 0.34.0-0.60.x release. Consult the GHSA at https://github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr for the exact patched commits. If immediate upgrade is not possible, compensating controls include restricting inbound SSH to known source IPs at the firewall (reduces but does not eliminate exposure if any allowed peer is malicious), placing the russh-based server behind a hardened SSH bastion or proxy that terminates and re-frames SSH (adds latency and operational complexity), and applying per-process memory cgroup/ulimit caps so an over-allocation crashes only the worker rather than the host (causes legitimate sessions to fail under load). For russh used as a client, avoid connecting to untrusted SSH servers until patched.

Share

EUVD-2026-36131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy