CVE-2026-48108
Deferred Deferred - Pending Action

SSH Identification String Handling Flaw in Russh Library

Vulnerability report for CVE-2026-48108, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
russh russh From 0.34.0-beta.1 (inc) to 0.61.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Russh Rust SSH client and server library versions from 0.34.0-beta.1 up to but not including 0.61.0. The issue is that Russh did not strictly enforce SSH identification-string rules, particularly on the server side. The server-side identification reader was as permissive as the client-side, allowing clients to send multiple pre-banner lines and malformed identification input that should have been rejected early.

This permissiveness means a remote peer could send malformed identification data during the connection setup phase, potentially holding connection setup resources open unnecessarily.

The vulnerability was fixed in version 0.61.0 by enforcing stricter SSH identification-string rules.

Impact Analysis

This vulnerability can allow a remote attacker to consume server resources during the SSH connection setup phase by sending malformed or excessive pre-banner lines. This can lead to resource exhaustion or denial of service conditions on a server using a Russh-based SSH server library that is vulnerable.

Mitigation Strategies

To mitigate this vulnerability, upgrade the russh library to version 0.61.0 or later, where the issue has been patched.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-48108 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the russh SSH server accepting malformed or excessive pre-banner lines during the SSH connection setup phase. Detection can focus on identifying unusual SSH connection attempts that send multiple or malformed identification lines before the actual SSH banner.

To detect potential exploitation attempts on your network or system, you can monitor SSH traffic for abnormal pre-banner lines or excessive line counts before the SSH identification string.

Suggested commands include using packet capture and analysis tools such as tcpdump or Wireshark to filter and inspect SSH connection attempts:

  • Use tcpdump to capture SSH traffic on port 22: tcpdump -i <interface> port 22 -w ssh_traffic.pcap
  • Analyze the captured traffic with Wireshark, looking for multiple or malformed pre-banner lines before the SSH identification string.
  • Use tshark (command-line Wireshark) to filter SSH packets and look for unusual banner lines: tshark -r ssh_traffic.pcap -Y 'ssh' -T fields -e data

Additionally, reviewing server logs for repeated or failed SSH connection attempts with unusual banners or delays during connection setup may help identify exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart