How is CVE-2026-46702 exploited?

Network reachability (required): The attacker must reach the SSH service over the network; no local access or physical presence is needed. Authentication (not-required): No credentials or prior session are needed; the oversized compressed packet can be sent by any remote peer before authentication completes. Victim interaction (not-required): No user action is required; the server processes the malicious packet passively during normal SSH handshake or session handling. Attack complexity (info): Exploitation is reliable and condition-free once the service is reachable with compression enabled; no race conditions or special memory layout is required.

What is the impact of CVE-2026-46702?

Exhausts available memory on the host running the russh-based SSH server or client, forcing an out-of-memory kill or process crash. Saturates CPU during decompression of the oversized payload, starving other processes on the same host. Renders the SSH service unavailable, blocking any administrative or automated access that depends on it. On russh versions before 0.58.0, the decompression path used CryptoVec, which may allow additional or more severe resource corruption beyond plain memory exhaustion.

Back to search

HIGHCVE-2026-46702Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-46702: Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An uncontrolled decompression vulnerability (sometimes called a zip-bomb or decompression-bomb attack) affects the Russh Rust SSH library versions 0.34.0 through 0.61.0. The flaw is reachable over the network by any unauthenticated remote peer when SSH compression is enabled: a crafted compressed packet passes the normal on-wire size check but expands to an arbitrarily large buffer after decompression. Successful exploitation exhausts server memory or CPU, crashing or hanging the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the russh crate. Pipeline scans and registry scans both surface affected image layers automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and can weight that score against each customer organization's compliance policy to determine urgency and routing. Triage results are delivered to the inbox or ticketing integration configured for the relevant team within each customer org.

Available

Patch

Because no fix version has been published yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment version 0.61.1 or a later upstream release is confirmed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SSH service over the network; no local access or physical presence is needed.
AuthenticationNot required
No credentials or prior session are needed; the oversized compressed packet can be sent by any remote peer before authentication completes.
Victim interactionNot required
No user action is required; the server processes the malicious packet passively during normal SSH handshake or session handling.
Attack complexityDetail
Exploitation is reliable and condition-free once the service is reachable with compression enabled; no race conditions or special memory layout is required.

Blast Radius

Exhausts available memory on the host running the russh-based SSH server or client, forcing an out-of-memory kill or process crash.
Saturates CPU during decompression of the oversized payload, starving other processes on the same host.
Renders the SSH service unavailable, blocking any administrative or automated access that depends on it.
On russh versions before 0.58.0, the decompression path used CryptoVec, which may allow additional or more severe resource corruption beyond plain memory exhaustion.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch has been released, the platform continuously re-checks the russh advisory on every ingest cycle. The moment a fix version is confirmed, a patched-image rebuild becomes available and, for customers with auto-remediation enabled, triggers a rebuild plus regression run plus a PR opened against affected workloads. In the meantime, HarborGuard flags every image containing russh 0.34.0 through 0.61.0, giving teams the visibility needed to apply compensating controls such as disabling SSH compression in server and client configuration, restricting network-policy rules to limit which peers can initiate SSH connections, and adding egress filtering to prevent untrusted external hosts from reaching internal SSH endpoints.

See how HarborGuard automates this

Affected packages

Eugeny / russh
>= 0.34.0, < 0.61.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259

Metrics

Get notified