CVE Catalog

CVE-2026-46702

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

12th percentile - higher than 12% of all known CVEs

Summary

Russh is a Rust SSH client & server library that from version 0.34.0 to before 0.61.1 had an issue accepting compressed packets that, after decompression, were much larger than allowed. This allowed a remote attacker to send packets that should have been rejected, leading to availability issues.

Risk Assessment

For organizations, this poses a risk of denial-of-service attacks that can lead to resource exhaustion. In older versions, the risk is exacerbated due to the use of CryptoVec.

Recommendation

It is recommended to upgrade to version 0.61.1 or later to mitigate this vulnerability. Additionally, systems should be monitored for potential attack attempts exploiting this flaw.

Original NVD description (English source)

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS