CVE-2026-46702
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
Russh is a Rust SSH client & server library that from version 0.34.0 to before 0.61.1 had an issue accepting compressed packets that, after decompression, were much larger than allowed. This allowed a remote attacker to send packets that should have been rejected, leading to availability issues.
Risk Assessment
For organizations, this poses a risk of denial-of-service attacks that can lead to resource exhaustion. In older versions, the risk is exacerbated due to the use of CryptoVec.
Recommendation
It is recommended to upgrade to version 0.61.1 or later to mitigate this vulnerability. Additionally, systems should be monitored for potential attack attempts exploiting this flaw.
Original NVD description (English source)
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

