CVE-2026-48108
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
Russh is a Rust SSH client & server library that from version 0.34.0-beta.1 to before version 0.61.0 did not enforce SSH identification-string rules as strictly as OpenSSH. This issue allowed the server to accept malformed identification lines, potentially leading to resource exhaustion during the pre-authentication phase.
Risk Assessment
Organizations using russh may be vulnerable to attacks that exploit invalid identification data, which could lead to server resource exhaustion and potential security issues.
Recommendation
It is recommended to upgrade to version 0.61.0 or later to mitigate this vulnerability and to implement additional monitoring and security measures for servers based on russh.
Original NVD description (English source)
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.

