CVE-2026-48108
Received Received - Intake
SSH Identification String Handling Flaw in Russh Library

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-48108
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
russh russh From 0.34.0-beta.1 (inc) to 0.61.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Russh Rust SSH client and server library versions from 0.34.0-beta.1 up to but not including 0.61.0. The issue is that Russh did not strictly enforce SSH identification-string rules, particularly on the server side. The server-side identification reader was as permissive as the client-side, allowing clients to send multiple pre-banner lines and malformed identification input that should have been rejected early.

This permissiveness means a remote peer could send malformed identification data during the connection setup phase, potentially holding connection setup resources open unnecessarily.

The vulnerability was fixed in version 0.61.0 by enforcing stricter SSH identification-string rules.

Impact Analysis

This vulnerability can allow a remote attacker to consume server resources during the SSH connection setup phase by sending malformed or excessive pre-banner lines. This can lead to resource exhaustion or denial of service conditions on a server using a Russh-based SSH server library that is vulnerable.

Mitigation Strategies

To mitigate this vulnerability, upgrade the russh library to version 0.61.0 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart