PatchSiren cyber security CVE debrief
CVE-2026-48110 Eugeny CVE debrief
CVE-2026-48110 is a vulnerability in the Russh Rust SSH client & server library. The issue affects versions from 0.34.0 up to but not including 0.61.0. In these versions, the library's handling of certain SSH messages could lead to excessive memory allocation or attempts at allocation when processing attacker-controlled strings, name-lists, and byte fields. This could be exploited by a remote SSH peer to cause a denial-of-service (DoS) by sending oversized, high-fanout, or malformed length-prefixed fields.
- Vendor
- Eugeny
- Product
- russh
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Developers and administrators using the Russh library in their applications, especially those providing SSH services, should be aware of this vulnerability. The vulnerability has been patched in version 0.61.0 of the Russh library.
Technical summary
The vulnerability arises from the library's practice of decoding attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds checks. This could allow an attacker to cause the library to allocate, attempt to allocate, or split data improperly, leading to potential DoS conditions.
Defensive priority
HIGH
Recommended defensive actions
- Update to version 0.61.0 or later of the Russh library to apply the patch.
- Review and restrict SSH access to only trusted peers to minimize exposure.
Evidence notes
The CVE has a CVSS score of 7.5 and is considered HIGH severity. It was published on 2026-06-10T22:17:01.267Z and last modified on 2026-06-11T17:16:34.917Z.
Official resources
-
CVE-2026-48110 CVE record
CVE.org
-
CVE-2026-48110 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-48110 was published on 2026-06-10T22:17:01.267Z and last modified on 2026-06-11T17:16:34.917Z.