CVE-2026-48108: Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input

June 11, 2026

russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines.

For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early.

References

github.com/Eugeny/russh/security/advisories/GHSA-76r6-x97p-67vr
github.com/advisories/GHSA-76r6-x97p-67vr
nvd.nist.gov/vuln/detail/CVE-2026-48108

Code Behaviors & Features

Detect and mitigate CVE-2026-48108 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →