CVE-2026-48110

Published: Jun 10, 2026Modified: Jun 11, 2026Deferred

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr

Source: security-advisories@github.com

https://github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.