CVE-2026-46702
Received Received - Intake
SSH Compression DoS in Russh Library

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46702
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
russh russh to 0.61.1 (exc)
russh russh From 0.58.0 (inc)
russh russh 0.61.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Russh Rust SSH client and server library versions from 0.34.0 up to but not including 0.61.1. When SSH compression is enabled, the library accepted compressed packets that passed normal size checks on the wire but expanded to a much larger size after decompression. This allowed a remote attacker to send packets that were oversized after decompression, which should have been rejected.

The issue leads to a remote denial-of-service (DoS) or resource exhaustion because the system processes these large decompressed packets, consuming excessive resources. The problem was worse in versions before 0.58.0 due to the use of CryptoVec in the decompression path. The vulnerability was fixed in version 0.61.1.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a denial-of-service condition on your system using the Russh SSH library. By sending specially crafted compressed packets that decompress to very large sizes, the attacker can exhaust system resources such as memory or CPU, potentially causing the SSH service or the host to become unresponsive or crash.

Mitigation Strategies

To mitigate this vulnerability, upgrade the russh library to version 0.61.1 or later, where the issue has been patched.

Additionally, consider disabling SSH compression if it is enabled, as the vulnerability occurs when SSH compression is active.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart