CVE-2026-48108— Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1499 · Endpoint Denial of ServiceGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48108
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
Source: NVD (National Vulnerability Database)
Vulnerability Description
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Russh 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Russh是Eugene个人开发者的一个 Rust SSH 客户端和服务器端库。 Russh 0.34.0-beta.1版本至0.61.0之前版本存在输入验证错误漏洞,该漏洞源于未严格执行SSH标识字符串规则,服务端标识读取器使用与客户端相同的宽松路径,允许来自客户端的预横幅行且未限制预横幅行数量,可能导致远程对等方在明文预身份验证阶段使用格式错误的标识输入占用连接设置资源。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48108
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48108
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48108 (1)
Same Patch Batch · Eugeny · 2026-06-10 · 6 CVEs total
| CVE-2026-48110 | 7.5 HIGH | Russh: SSH message fields were decoded through allocation-first parsers before field-speci |
| CVE-2026-46702 | 7.5 HIGH | Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compr |
| CVE-2026-46673 | 7.5 HIGH | Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent in |
| CVE-2026-48107 | 6.5 MEDIUM | Russh: Unchecked keyboard-interactive prompt count in client auth path |
| CVE-2026-46705 | 5.3 MEDIUM | russh server userauth state is not reset when authentication principal changes |
IV. Related Vulnerabilities
Same product: russh
- CVE-2026-48110
Russh: SSH message fields were decoded through allocation-fi - CVE-2026-48107
Russh: Unchecked keyboard-interactive prompt count in client - CVE-2026-46705
russh server userauth state is not reset when authentication - CVE-2026-46702
Russh: Post-decompression SSH packet size was not bounded, a - CVE-2026-46673
Russh: Unchecked CryptoVec allocation and growth handling is
Same vendor: Eugeny
- CVE-2026-48110
Russh: SSH message fields were decoded through allocation-fi - CVE-2026-48107
Russh: Unchecked keyboard-interactive prompt count in client - CVE-2026-46705
russh server userauth state is not reset when authentication - CVE-2026-46702
Russh: Post-decompression SSH packet size was not bounded, a - CVE-2026-46673
Russh: Unchecked CryptoVec allocation and growth handling is
Same weakness: CWE-20
V. Comments for CVE-2026-48108
No comments yet