CVE-2026-46702: russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

May 29, 2026 (updated June 11, 2026)

When SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected.

In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path.

In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse.

References

github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259
github.com/advisories/GHSA-wwx6-x28x-8259
nvd.nist.gov/vuln/detail/CVE-2026-46702

Code Behaviors & Features

Detect and mitigate CVE-2026-46702 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →