CVE-2026-48110: Russh SSH message fields were decoded through allocation-first parsers before field-specific bounds

June 11, 2026

Several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier.

References

github.com/Eugeny/russh/releases/tag/v0.61.0
github.com/Eugeny/russh/security/advisories/GHSA-4r3c-5hpg-58qr
github.com/advisories/GHSA-4r3c-5hpg-58qr
nvd.nist.gov/vuln/detail/CVE-2026-48110

Code Behaviors & Features

Detect and mitigate CVE-2026-48110 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →