CVE-2026-46702

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-46702
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46702.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46702
Aliases
Downstream
Related
Published
2026-06-10T20:19:18.792Z
Modified
2026-06-18T03:55:20.199211664Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets
Details

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46702.json"
}
References

Affected packages

Git / github.com/eugeny/russh

Affected ranges

Type
GIT
Repo
https://github.com/eugeny/russh
Events
Introduced
430c1ceacf8b357c985581ecdac0663bcee4ace1
Fixed
a2ffd0fafd2522793761b12ebc9496007e4b287a
Database specific 
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.34.0"
        },
        {
            "fixed": "0.61.1"
        }
    ]
}

Affected versions

0.*
0.37.0-beta.1
v0.*
v0.34.0
v0.35.0-beta.1
v0.35.0-beta.2
v0.35.0-beta.3
v0.35.0-beta.5
v0.35.0-beta.6
v0.35.0-beta.7
v0.35.0-beta.8
v0.35.0-beta.9
v0.36.1
v0.37.0
v0.37.0-beta.1
v0.37.1
v0.38.0
v0.38.0-beta.1
v0.39.0-beta.1
v0.40.0
v0.40.1
v0.40.2
v0.42.0
v0.43.0
v0.43.0-beta.1
v0.44.0
v0.44.0-beta.1
v0.44.0-beta.3
v0.44.0-beta.4
v0.45.0
v0.46.0
v0.47.0-beta.3
v0.47.0-beta.4
v0.48.0
v0.48.1
v0.48.2
v0.49.0
v0.50.0
v0.50.0-beta.10
v0.50.0-beta.11
v0.50.0-beta.12
v0.50.0-beta.2
v0.50.0-beta.3
v0.50.0-beta.4
v0.50.0-beta.5
v0.50.0-beta.6
v0.50.0-beta.7
v0.50.0-beta.8
v0.50.0-beta.9
v0.50.1
v0.50.3
v0.50.4
v0.51.0
v0.51.0-beta.1
v0.51.0-beta.2
v0.51.0-beta.3
v0.51.1
v0.52.0
v0.52.0-beta.1
v0.52.1
v0.53.0
v0.53.0-beta.1
v0.54.0
v0.54.1
v0.54.2
v0.54.3
v0.54.4
v0.54.5
v0.54.6
v0.55.0
v0.56.0
v0.57.0
v0.57.1
v0.58.0
v0.59.0
v0.60.0
v0.60.1
v0.60.2
v0.60.3
v0.61.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46702.json"