CVE-2026-46702: CWE-770: Allocation of Resources Without Limits or Throttling in Eugeny russh
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.
AI Analysis
Technical Summary
CVE-2026-46702 is a resource exhaustion vulnerability in the russh library affecting versions >=0.34.0 and <0.61.1. The vulnerability arises because compressed SSH packets are accepted based on their on-wire size without limiting the decompressed size, enabling a remote attacker to send oversized decompressed packets that exhaust resources. Older versions prior to 0.58.0 used CryptoVec in the decompression path, potentially worsening the impact. The vulnerability results in a remote denial-of-service (DoS) condition. The issue is fixed in version 0.61.1.
Potential Impact
A remote attacker can cause a denial-of-service by sending specially crafted compressed SSH packets that decompress to very large sizes, exhausting server resources. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade russh to version 0.61.1 or later, where this vulnerability has been patched. Patch status is confirmed by the version information in the advisory. No other mitigation is indicated.
CVE-2026-46702: CWE-770: Allocation of Resources Without Limits or Throttling in Eugeny russh
Description
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.
CVSS v3.1
Score 7.5high
Affected software
pkg:cargo/github/eugeny/russhRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46702 is a resource exhaustion vulnerability in the russh library affecting versions >=0.34.0 and <0.61.1. The vulnerability arises because compressed SSH packets are accepted based on their on-wire size without limiting the decompressed size, enabling a remote attacker to send oversized decompressed packets that exhaust resources. Older versions prior to 0.58.0 used CryptoVec in the decompression path, potentially worsening the impact. The vulnerability results in a remote denial-of-service (DoS) condition. The issue is fixed in version 0.61.1.
Potential Impact
A remote attacker can cause a denial-of-service by sending specially crafted compressed SSH packets that decompress to very large sizes, exhausting server resources. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade russh to version 0.61.1 or later, where this vulnerability has been patched. Patch status is confirmed by the version information in the advisory. No other mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T23:26:58.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29d0250e53e73883986ccf
Added to database: 6/10/2026, 8:59:17 PM
Last enriched: 6/10/2026, 9:14:05 PM
Last updated: 6/11/2026, 12:21:48 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.