PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48851 PuTTY CVE debrief

PuTTY 0.77 through 0.83 fails to clear the trust indicator (PuTTY icon) between proxy authentication and the main TELNET session. The icon, which signals trusted data to the user, persists across session phases, potentially misleading users about the trustworthiness of subsequent TELNET data. This UI state management issue (CWE-451) could lead users to trust untrusted content. The vulnerability is rated LOW severity (CVSS 3.1) with a base score of 3.1, reflecting the need for user interaction and high attack complexity. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
PuTTY
Product
Unknown
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations using PuTTY for TELNET connections with proxy authentication; security-conscious users relying on visual trust indicators in terminal emulators; compliance teams evaluating secure session management controls.

Technical summary

The vulnerability exists in PuTTY versions 0.77 through 0.83 where the application's trust sigil (the PuTTY icon displayed to indicate trusted data) is not reset between proxy authentication and the main TELNET session. This UI state persistence could cause users to incorrectly trust data received during the main session based on the authentication trust established earlier. The issue is classified under CWE-451 (User Interface (UI) Misrepresentation of Critical Information). Attack vector is network-based with high complexity, requiring user interaction, with low integrity impact and no confidentiality or availability impact.

Defensive priority

low

Recommended defensive actions

  • Upgrade to PuTTY 0.84 or later to address the trust indicator clearing issue
  • Review TELNET session workflows for users relying on visual trust indicators
  • Consider alternative protocols to TELNET where authentication boundaries require clear trust signaling
  • Monitor putty-announce mailing list for security updates

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. Source references include putty-announce mailing list and official PuTTY wishlist documentation. Vendor attribution to PuTTY based on reference domain evidence (Tartarus/putty-announce, chiark.greenend.org.uk/~sgtatham/putty).

Official resources

2026-05-25