PatchSiren cyber security CVE debrief
CVE-2026-48850 PuTTY CVE debrief
A double-free vulnerability exists in PuTTY versions 0.72 through 0.83 during RSA key exchange (RSA KEX). The flaw, classified as CWE-415, occurs when memory is freed twice during the cryptographic handshake process. This vulnerability was disclosed on 2026-05-25 and carries a LOW severity CVSS 3.1 score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating network-based attack vector with high attack complexity, no privileges required, no user interaction, and low availability impact only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. PuTTY is a widely-used open-source SSH and Telnet client; the RSA KEX component handles server authentication during secure session establishment. A double-free in this context could potentially cause application crashes or memory corruption, though the high attack complexity and limited impact scope reduce immediate exploitation risk.
- Vendor
- PuTTY
- Product
- Unknown
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-27
Who should care
Organizations using PuTTY for SSH/Telnet access management; security teams tracking client-side cryptographic vulnerabilities; system administrators responsible for endpoint SSH client security
Technical summary
The vulnerability is a double-free (CWE-415) in PuTTY's RSA key exchange implementation. Affected versions 0.72 through 0.83 may free the same memory location twice during RSA KEX processing. The CVSS 3.1 vector indicates network attackability with high complexity, requiring no privileges or user interaction, with impact limited to availability. No confidentiality or integrity impact is scored. The vulnerability is not known to be exploited in the wild per available sources.
Defensive priority
LOW
Recommended defensive actions
- Upgrade PuTTY to version 0.84 or later to remediate the double-free vulnerability in RSA key exchange
- Verify PuTTY version via Help > About; versions 0.72 through 0.83 are affected
- Monitor PuTTY security announcements for additional guidance
- If immediate upgrade is not feasible, consider using alternative key exchange methods (such as ECDH) if supported by your SSH server configuration
- Review SSH client inventory to identify all PuTTY deployments requiring update
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. CVSS vector and CWE classification confirmed via NVD. Vendor attribution to PuTTY project supported by source references from tartarus.org (PuTTY's official mailing list host) and chiark.greenend.org.uk (official PuTTY developer domain). No KEV listing confirmed via enrichment data.
Official resources
2026-05-25T21:16:35.267Z