CVE-2026-48110 | THREATINT

Description

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.

PUBLISHED Reserved 2026-05-20 | Published 2026-06-10 | Updated 2026-06-10 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-20: Improper Input Validation

Product status

>= 0.34.0, < 0.61.0

affected

References

github.com/.../russh/security/advisories/GHSA-4r3c-5hpg-58qr

cve.org (CVE-2026-48110)

nvd.nist.gov (CVE-2026-48110)

Download JSON