CVE-2026-46702 - Vulnerability Details

Description

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

Published: 2026-06-10

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Russh, a Rust SSH library, contains a flaw where compressed packets are validated only by their on‑wire length, not by their decompressed size. An attacker can send an SSH session that uses compression to deliver a packet whose compressed length satisfies transport checks but whose decompressed payload is vastly larger, triggering unexpected memory allocation and exhausting resources. The vulnerability is identified as CWE‑770, representing Excessive Resource Allocation.

Affected Systems

The issue affects the russh library by Eugeny. Versions from 0.34.0 up to, but not including, 0.61.1 are vulnerable when SSH compression is enabled. Older releases prior to 0.58.0 used CryptoVec for decompression, which may exacerbate the impact. The patch is applied in version 0.61.1 and later.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity, though exploit probability is not quantified by EPSS. The vulnerability is not listed in CISA KEV, indicating no known public exploits yet. An attacker only needs to initiate an SSH connection with compression enabled and send the crafted packet; no authentication is required because the packet is processed during the transport layer. Successful exploitation results in a denial of service or resource exhaustion on the target system without compromising confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Eugeny

russh

affected

Version	Status	Constraints
`>= 0.34.0, < 0.61.1`	affected	—

No data.

Vendor Product Confidence Versions

Eugeny

Russh

100%

Version	Status	Scheme	Platform
`[0.34.0,0.61.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade russh to version 0.61.1 or later
If upgrading is not immediately possible, disable SSH compression on both clients and servers that do not need it
Monitor memory usage and terminate connections that exhibit excessive decompression behavior

Generated by OpenCVE AI on June 10, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wwx6-x28x-8259	russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259

History

Wed, 10 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eugeny Eugeny russh
Vendors & Products		Eugeny Eugeny russh

Wed, 10 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.
Title		Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets
Weaknesses		CWE-770
References		https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Eugeny Russh

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T20:19:18.792Z

Updated: 2026-06-10T20:19:18.792Z

Reserved: 2026-05-15T23:26:58.308Z

Link: CVE-2026-46702

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T22:17:00.580

Modified: 2026-06-10T22:17:00.580

Link: CVE-2026-46702

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses

CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object