Russh: SSH message fields were decoded through allocation-first parsers before...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.

Basic Information

ID CVE-2026-48110

Source GitHub_M

Published Jun 10, 2026 at 20:26

Affected Product

Vendor Eugeny

Product russh

Version >= 0.34.0, < 0.61.0

Affected Versions Eugeny russh >= 0.34.0, < 0.61.0

CWE Classification

CWE-20

References

github.com /Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr

{
    "lastseen": "",
    "description": "Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.",
    "published": "2026-06-10T20:26:29.994Z",
    "modified": "2026-06-10T20:26:29.994Z",
    "type": "cve",
    "title": "Russh: SSH message fields were decoded through allocation-first parsers before field-specific bounds",
    "source": "GitHub_M",
    "references": "https://github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr",
    "id": "CVE-2026-48110",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "Eugeny russh >= 0.34.0, < 0.61.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "russh",
    "version": ">= 0.34.0, < 0.61.0",
    "vendor": "Eugeny",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Russh: SSH message fields were decoded through allocation-first parsers before field-specific bounds_CVE-2026-48110