PatchSiren cyber security CVE debrief
CVE-2026-46702 Eugeny CVE debrief
A remote denial-of-service vulnerability exists in the Russh SSH library, affecting versions 0.34.0 to before 0.61.1. The vulnerability allows a remote peer to send oversized post-decompression packets, causing a resource-exhaustion issue in the post-decompression receive path. This issue has been patched in version 0.61.1.
- Vendor
- Eugeny
- Product
- russh
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of the Russh SSH library, particularly those using versions 0.34.0 to 0.61.1, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The Russh SSH library, a Rust-based SSH client and server library, is vulnerable to a remote denial-of-service attack. The vulnerability, CVE-2026-46702, exists in versions 0.34.0 to before 0.61.1 and allows a remote peer to send oversized post-decompression packets, causing a resource-exhaustion issue in the post-decompression receive path. This issue has been patched in version 0.61.1.
Defensive priority
High
Recommended defensive actions
- Update to version 0.61.1 or later
- Disable SSH compression if not required
Evidence notes
The vulnerability was patched in version 0.61.1. For more information, see [ref-4](https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259).
Official resources
-
CVE-2026-46702 CVE record
CVE.org
-
CVE-2026-46702 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-46702 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-46702) and modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-46702).