PatchSiren cyber security CVE debrief
CVE-2026-48108 Eugeny CVE debrief
The Russh library, a Rust SSH client and server implementation, had a vulnerability from version 0.34.0-beta.1 up to but not including version 0.61.0. This issue relates to how Russh handles the SSH identification string, which is not as strict as OpenSSH. Specifically, the server-side identification reader used a permissive path similar to the client, allowing for pre-banner lines from clients. Moreover, it did not enforce a limited number of these lines. For servers built with Russh, this could be exploited by a remote peer to keep connection setup resources engaged in the cleartext pre-authentication phase with improperly formatted identification input that should have been rejected early. This vulnerability has been addressed in version 0.61.0.
- Vendor
- Eugeny
- Product
- russh
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of the Russh library, especially those who have built library servers on top of it, should be aware of this vulnerability. The vulnerability could allow remote peers to consume resources during the pre-authentication phase by sending malformed identification input.
Technical summary
The vulnerability in Russh (CVE-2026-48108) stems from its permissive handling of SSH identification strings, similar to clients, and not limiting the number of pre-banner lines. This could allow for resource consumption in the cleartext pre-authentication phase.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 0.61.0 or later of the Russh library to patch the vulnerability.
- Review server implementations built on Russh to ensure they properly handle identification strings according to the patched version's rules.
Evidence notes
The CVE-2026-48108 details were obtained from official sources including [cve-org] and [nvd]. Additional information was found in the security advisory [ref-4].
Official resources
-
CVE-2026-48108 CVE record
CVE.org
-
CVE-2026-48108 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-48108 was published on [cvePublishedAt] and modified on [cveModifiedAt].