CVE-2026-46702

HIGH 7.5

Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

CWE	CWE-770
Vendor	eugeny
Product	russh
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for eugeny russh

Be the first to know when new high vulnerabilities affecting eugeny russh are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Eugeny / russh

>= 0.34.0, < 0.61.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259