CVE-2026-46702

Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

Assigner: GitHub_M
Reserved: 15.05.2026 Published: 10.06.2026 Updated: 10.06.2026

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Eugeny
Product	russh
Versions	Version >= 0.34.0, < 0.61.1 is affected

Vendor

Eugeny

Product

russh

Versions

Version >= 0.34.0, < 0.61.1 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-46702 PUBLISHED

Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

Metrics

Product Status

References

Problem Types