PatchSiren cyber security CVE debrief
CVE-2026-48852 PuTTY CVE debrief
PuTTY versions 0.71 through 0.83 contain an assertion failure vulnerability in ECDSA signature verification that can be triggered remotely. The flaw, identified as CWE-617 (Reachable Assertion), occurs when processing malformed ECDSA signatures during SSH authentication or key exchange. A remote attacker can exploit this to cause a denial of service by crashing the PuTTY client or server process. The vulnerability was disclosed on 2026-05-25 and affects all PuTTY releases in the specified range. Users should upgrade to PuTTY 0.84 or later to remediate this issue. The CVSS 3.1 score of 3.7 (Low severity) reflects the attack complexity requirements and limited impact to availability only, with no confidentiality or integrity effects.
- Vendor
- PuTTY
- Product
- Unknown
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-27
Who should care
Organizations and individuals using PuTTY versions 0.71-0.83 for SSH connectivity, particularly those in environments where SSH availability is critical. System administrators managing remote access infrastructure, security teams monitoring for denial-of-service conditions in SSH services, and developers integrating PuTTY components into applications should prioritize this patch.
Technical summary
The vulnerability exists in PuTTY's implementation of ECDSA (Elliptic Curve Digital Signature Algorithm) signature verification. When processing a malformed or specially crafted ECDSA signature, the code triggers an assertion failure rather than gracefully handling the error condition. This results in abnormal program termination. The issue is remotely exploitable because ECDSA signatures are exchanged during SSH protocol operations, allowing an attacker to send malicious signatures to a PuTTY client or server. The assertion failure represents a defensive coding check that fails when encountering unexpected input states, converting what should be a handled error into a crash condition. The vulnerability does not enable code execution or information disclosure, limiting impact to availability disruption through denial of service.
Defensive priority
medium
Recommended defensive actions
- Upgrade PuTTY to version 0.84 or later to eliminate the vulnerable code path
- If immediate patching is not feasible, monitor SSH connections for unexpected client or server crashes that may indicate exploitation attempts
- Review SSH server logs for anomalous ECDSA authentication failures preceding process termination
- Consider implementing network segmentation for critical SSH infrastructure to limit exposure to untrusted networks
- Deploy endpoint monitoring to detect PuTTY process crashes with assertion failure signatures
Evidence notes
Vulnerability description sourced from NVD official record. Affected version range (0.71 before 0.84) and technical details (ECDSA signature verification, assertion failure) derived from CVE description and official PuTTY project references. CVSS vector and score from NVD metadata. CWE-617 classification confirmed via NVD weakness data.
Official resources
2026-05-25T21:16:35.543Z