CVE-2026-46702
Deferred Deferred - Pending Action

SSH Compression DoS in Russh Library

Vulnerability report for CVE-2026-46702, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
russh russh to 0.61.1 (exc)
russh russh From 0.58.0 (inc)
russh russh 0.61.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Russh Rust SSH client and server library versions from 0.34.0 up to but not including 0.61.1. When SSH compression is enabled, the library accepted compressed packets that passed normal size checks on the wire but expanded to a much larger size after decompression. This allowed a remote attacker to send packets that were oversized after decompression, which should have been rejected.

The issue leads to a remote denial-of-service (DoS) or resource exhaustion because the system processes these large decompressed packets, consuming excessive resources. The problem was worse in versions before 0.58.0 due to the use of CryptoVec in the decompression path. The vulnerability was fixed in version 0.61.1.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a denial-of-service condition on your system using the Russh SSH library. By sending specially crafted compressed packets that decompress to very large sizes, the attacker can exhaust system resources such as memory or CPU, potentially causing the SSH service or the host to become unresponsive or crash.

Mitigation Strategies

To mitigate this vulnerability, upgrade the russh library to version 0.61.1 or later, where the issue has been patched.

Additionally, consider disabling SSH compression if it is enabled, as the vulnerability occurs when SSH compression is active.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart