CVE-2026-48108 - Vulnerability Details

Description

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.

Published: 2026-06-10

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Russh, a Rust SSH client and server library, allows a remote peer to send malformed SSH identification strings that include arbitrary pre‑banner lines. Because the library does not enforce the SSH protocol’s canonical identification‑string format and does not limit the number of pre‑banner lines, an attacker can flood the pre‑authentication phase with excessive or specially crafted data. This input validation weakness (CWE‑20) can consume server resources and prolong connection setup, effectively denying service to legitimate users.

Affected Systems

Eugeny’s russh library is affected. All releases from version 0.34.0-beta.1 up to, but not including, 0.61.0 are vulnerable. Any application that embeds russh as an SSH server should consider this range when assessing risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score is not disclosed, and the vulnerability is not listed in the CISA KEV catalog, implying no active exploitation at the time of publishing. The attack vector remains remote and requires only a standard SSH connection; an adversary could invoke the flaw by sending non‑canonical banners before the server responds. While no public exploit has been reported, the lack of early rejection could lead to resource exhaustion or keep the connection open in cleartext, making it a potential DoS vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Eugeny

russh

affected

Version	Status	Constraints
`>= 0.34.0-beta.1, < 0.61.0`	affected	—

No data.

Vendor Product Confidence Versions

Eugeny

Russh

100%

Version	Status	Scheme	Platform
`[0.34.0-beta.1,0.61.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade russh to version 0.61.0 or later, which contains the fix that enforces SSH identification‑string rules and limits pre‑banner lines.
Rebuild any applications that incorporate russh as an SSH server after confirming the version bump, and perform integration testing to ensure no regression of server functionality.
Monitor SSH server logs for unusually long or malformed identification strings to detect any attempts that may exploit older versions until the patch can be applied.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Eugeny/russh/security/advisories/GHSA-76r6-x97p-67vr

History

Wed, 10 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eugeny Eugeny russh
Vendors & Products		Eugeny Eugeny russh

Wed, 10 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.
Title		Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
Weaknesses		CWE-20
References		https://github.com/Eugeny/russh/security/advisories/GHSA-76r6-x97p-67vr
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Eugeny Russh

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T20:24:56.666Z

Updated: 2026-06-10T20:24:56.666Z

Reserved: 2026-05-20T18:46:58.287Z

Link: CVE-2026-48108

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T22:17:01.130

Modified: 2026-06-10T22:17:01.130

Link: CVE-2026-48108

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses

CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object