russh

CVE-2026-46702

CVE-2026-46702 is a high-severity allocation of resources without limits or throttling vulnerability in russh (rust), affecting versions >= 0.34.0, < 0.61.1. It is fixed in 0.61.1.

Key facts
CVSS score
7.5
High
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
russh
Fixed in
0.61.1
Disclosed
2026

Summary

Summary When SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. Details The normal SSH transport read path enforces a packet-length limit before the packet body is read: russh/src/cipher/mod.rs However, RFC 4253 compression is applied to the SSH payload field only. The packetlength field and MAC are computed over the compressed payload, so a packet that is reasonably sized on the wire can still expand to a much larger message body after decompression. In russh, compressed packet bodies are later decompressed in: russh/src/compression.rs russh/src/client/mod.rs russh/src/server/session.rs Before the fix, Decompress::decompress() grew its output buffer by repeated doubling and did not enforce a separate post-decompression ceiling. That meant a peer could send a small compressed packet that passed the normal on-wire transport length checks and then inflate it into a much larger packet after decompression. It was verified that an attacker-crafted compressed payload can stay below the normal 256 KiB implementation transport packet cap while still inflating above the intended post-decompression bound. In other words, this is not only a "large on-wire packet" issue. Version detail: The underlying post-decompression bounds bug appears to affect russh as far back as 0.34.0. In historical releases >= 0.34.0, < 0.58.0, the remote decompression path still used CryptoVec. Remote compressed SSH traffic could drive that path, and under constrained memory that historical code path could abort the process. In current-style releases >= 0.58.0, non-secret packet/decompression buffers were moved off CryptoVec and onto Vec<u8>, but the post-decompression size still remained unbounded. So the bug class remained reachable remotely, but the maintained-line impact is a current remote DoS / oversized-packet-acceptance issue rather than the older CryptoVec-based abort story. The maintained-line fix was verified against 0.60.2. Compression is not selected in a default-vs-default russh session because the default preference order puts none first. However, the default server configuration still advertises zlib and [email protected], and server-side negotiation follows the client's preference order for common algorithms. A client that prefers compression can therefore negotiate it with a default russh server. OpenSSH portable was checked at /home/mjc/projects/openssh-portable commit 45b30e0a5. OpenSSH enforces a 256 KiB transport packet cap before decompression, but it does not reuse that cap after decompression. Instead, decompression writes to an sshbuf, which is indirectly bounded by OpenSSH's SSHBUFSIZEMAX hard maximum of 0x8000000 bytes (128 MiB). The patch direction should follow that model: add an explicit post-decompression ceiling of 128 MiB, rather than assuming the compressed transport packet cap also bounds decompressed payload size. Relevant OpenSSH reference points: /home/mjc/projects/openssh-portable/packet.c: PACKETMAXSIZE (256 * 1024) /home/mjc/projects/openssh-portable/packet.c: uncompressbuffer() inflates into compressionbuffer /home/mjc/projects/openssh-portable/sshbuf.h: SSHBUFSIZEMAX 0x8000000 RFC / OpenSSH Comparison RFC 4253 section 6 defines the binary packet format: packetlength paddinglength payload random padding MAC RFC 4253 section 6.2 says that, when compression is negotiated, the payload field is compressed, and that packetlength and MAC are computed from the compressed payload. The RFC also says implementations should check that packet length is reasonable to avoid denial-of-service and buffer-overflow attacks. That means the pre-decompression transport packet length check is necessary but not sufficient. A correct implementation still needs a reasonable bound on the decompressed payload that becomes parser input. OpenSSH provides such a bound indirectly through sshbuf's hard maximum. The russh fix should make the corresponding post-decompression bound explicit. PoC There were two kinds of proof: a wire-cap sanity test showing an attacker-crafted best-compressed DEBUG payload can stay below the normal SSH transport packet cap while still inflating beyond the intended post-decompression bound direct client and server receive-path tests that exercise the oversized post-decompression behavior itself The current in-tree regression tests are: tests::compress::oversizeddebugpayloadcanstaybelowwirecap compression::tests::oversizeddecompressedpacketisrejected client::tests::compresseddebugisignoredafterclientparsesit client::tests::oversizedcompresseddebugisrejectedbeforeclientignoresit server::session::tests::compresseddebugisignoredafterserverparsesit server::session::tests::oversizedcompresseddebugisrejectedbeforeserverignoresit The important behavior is: An attacker-crafted best-compressed DEBUG payload can stay below the normal 256 KiB transport packet cap while still inflating beyond 128 MiB. In the direct client and server receive paths, small compressed DEBUG packets are still ignored normally after parsing. In the direct client and server receive paths, oversized compressed DEBUG packets are rejected before the implementation reaches the normal "ignore DEBUG" behavior. The strongest PoC for severity is the unauthenticated server-side case. A malicious client can choose zlib in the initial key exchange, because the default server advertises it and server-side negotiation follows the client's preference order for common algorithms. After NEWKEYS, but before authentication, the client can send a transport-layer SSHMSGDEBUG packet whose compressed body is below the transport packet cap but whose decompressed body exceeds the post-decompression cap. That demonstrates the AV:N/AC:L/PR:N/UI:N case directly: the attacker is a remote SSH client and does not need a successfully authenticated session. The equivalent wire-level attack shape is: The direct receive-path client/server regression tests are still useful because they isolate the bug precisely. They construct the post-decryption compressed packet body passed to maybedecompress() and prove that the oversized packet is rejected before normal DEBUG ignore handling. The server-side pre-auth variant above is the one that justifies the highest CVSS framing for this bug. The most important targeted checks are: Before the fix, both the direct client and direct server receive-path oversized checks went red because the compressed payload was accepted and decompressed instead of being rejected at the post-decompression boundary. After the fix, they pass. Impact Suggested CVSS v3.1 for current maintained releases: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Score: 7.5 Reasoning: AV:N: reachable by a remote SSH peer AC:L: straightforward once compression is enabled PR:N, UI:N: no prior auth or user interaction required C:N, I:N: confidentiality or integrity impact was not demonstrated A:H: remote peer can cause oversized post-decompression packet processing and disconnect / denial of service Affected versions: historical stronger case: russh >= 0.34.0, < 0.58.0 current maintained remote DoS case: russh >= 0.58.0, including 0.60.3 Fix / Patch Direction Add an explicit maximum decompressed SSH packet size and enforce it inside Decompress::decompress() before returning decompressed bytes to the client or server packet parser. The intended ceiling is 128 MiB, matching OpenSSH portable's effective sshbuf hard maximum for post-decompression packet storage. The fix should reject decompression output larger than that bound with a packet-size error before normal message dispatch. The fix should preserve normal compressed packet behavior below the cap, including DEBUG packets that are decompressed and then ignored through the existing normal path. Patch branch:

Impact

What is allocation of resources without limits or throttling?

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

Severity and exposure

CVE-2026-46702 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (0.61.1). Upgrading removes the vulnerable code path.

Affected versions

rust

  • russh (>= 0.34.0, < 0.61.1)

Security releases

  • russh → 0.61.1 (rust)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2026-46702 is reachable in your applications. Explore open-source security for your team.

See if CVE-2026-46702 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-46702 in your environment

Remediation advice

Upgrade russh to 0.61.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-46702

What is CVE-2026-46702?

CVE-2026-46702 is a high-severity allocation of resources without limits or throttling vulnerability in russh (rust), affecting versions >= 0.34.0, < 0.61.1. It is fixed in 0.61.1. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.

How severe is CVE-2026-46702?

CVE-2026-46702 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which versions of russh are affected by CVE-2026-46702?

russh (rust) versions >= 0.34.0, < 0.61.1 is affected.

Is there a fix for CVE-2026-46702?

Yes. CVE-2026-46702 is fixed in 0.61.1. Upgrade to this version or later.

Is CVE-2026-46702 exploitable, and should I be worried?

Whether CVE-2026-46702 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-46702 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-46702?

Upgrade russh to 0.61.1 or later.

Stop the waste.
Protect your environment with Kodem.