CVE Catalog

CVE-2026-48108

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

31th percentile — higher than 31% of all known CVEs

Summary

Russh is a Rust SSH client & server library that from version 0.34.0-beta.1 to before version 0.61.0 did not enforce SSH identification-string rules as strictly as OpenSSH. This issue allowed the server to accept malformed identification lines, potentially leading to resource exhaustion during the pre-authentication phase.

Risk Assessment

Organizations using russh may be vulnerable to attacks that exploit invalid identification data, which could lead to server resource exhaustion and potential security issues.

Recommendation

It is recommended to upgrade to version 0.61.0 or later to mitigate this vulnerability and to implement additional monitoring and security measures for servers based on russh.

Original NVD description (English source)

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS