How is CVE-2026-48110 exploited?

Network reachability (required): The attacker must reach the SSH service over the network; no local or physical access is needed. Authentication (not-required): No credentials or account are needed; the malformed messages can be sent before any authentication handshake completes. Victim interaction (not-required): No action by a legitimate user is required; the attacker interacts directly with the SSH listener. Attack complexity (info): Exploitation is reliable and condition-free; crafting an oversized or malformed length-prefixed field requires no special timing or environmental setup.

What is the impact of CVE-2026-48110?

The affected SSH service process exhausts available memory or crashes outright, taking down any functionality it provides. All in-flight SSH sessions handled by the same process are terminated, disconnecting legitimate clients. Repeated short bursts of malformed messages can sustain a denial-of-service condition with minimal attacker bandwidth.

Back to search

HIGHCVE-2026-48110Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-48110: Russh: SSH message fields were decoded through allocation-first parsers before field-specific bounds

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a memory allocation denial-of-service vulnerability in the Russh Rust SSH library (versions 0.34.0 through 0.60.x). A remote attacker with no authentication can send specially crafted SSH messages containing oversized or malformed length-prefixed fields, causing the library to allocate or attempt to allocate large amounts of memory before rejecting the input. Successful exploitation crashes or exhausts resources in any service built on Russh, disrupting availability entirely. No fix version has been published upstream yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Russh crate. Any image whose dependency manifest or binary analysis reveals an affected Russh version (0.34.0 to below 0.61.0) is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the team inbox or ticketing integration configured for each customer organization, with severity band and affected image list included.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SSH service over the network; no local or physical access is needed.
AuthenticationNot required
No credentials or account are needed; the malformed messages can be sent before any authentication handshake completes.
Victim interactionNot required
No action by a legitimate user is required; the attacker interacts directly with the SSH listener.
Attack complexityDetail
Exploitation is reliable and condition-free; crafting an oversized or malformed length-prefixed field requires no special timing or environmental setup.

Blast Radius

The affected SSH service process exhausts available memory or crashes outright, taking down any functionality it provides.
All in-flight SSH sessions handled by the same process are terminated, disconnecting legitimate clients.
Repeated short bursts of malformed messages can sustain a denial-of-service condition with minimal attacker bandwidth.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists today, detection is active and every affected image is flagged for manual review. HarborGuard monitors the russh advisory on each ingest cycle; the moment version 0.61.0 or a later fix is published upstream, a patched-image rebuild becomes available and, for customers with auto-remediation enabled, the pipeline will open a PR against affected workloads automatically. In the interim, compensating controls worth considering include network-policy rules that restrict SSH listener exposure to known peer CIDRs, rate-limiting or connection-throttling at the load balancer or firewall layer ahead of Russh-backed services, and feature-flag gating of any non-essential SSH endpoints until a patched image can be deployed.

See how HarborGuard automates this

Affected packages

Eugeny / russh
>= 0.34.0, < 0.61.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr

Metrics

Get notified