Russh: SSH message fields were decoded through allocation-first parsers before field-specific bounds
CVE-2026-48110

7.5HIGH

Key Information:

Vendor: Eugeny
Status: Russh
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-48110?

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.

Affected Version(s)

russh >= 0.34.0, < 0.61.0

References

https://github.com/Eugeny/russh/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48110 Data

JSON