Vulnerability-Lookup

CVE-2026-46702 (GCVE-0-2026-46702)

Vulnerability from cvelistv5 – Published: 2026-06-10 20:19 – Updated: 2026-06-10 20:19

Title

Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

Summary

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/Eugeny/russh/security/advisori…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Eugeny	russh	Affected: >= 0.34.0, < 0.61.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "russh",
          "vendor": "Eugeny",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.34.0, \u003c 0.61.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Russh is a Rust SSH client \u0026 server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T20:19:18.792Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259"
        }
      ],
      "source": {
        "advisory": "GHSA-wwx6-x28x-8259",
        "discovery": "UNKNOWN"
      },
      "title": "Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46702",
    "datePublished": "2026-06-10T20:19:18.792Z",
    "dateReserved": "2026-05-15T23:26:58.308Z",
    "dateUpdated": "2026-06-10T20:19:18.792Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46702\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T22:17:00.580\",\"lastModified\":\"2026-06-10T22:17:00.580\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Russh is a Rust SSH client \u0026 server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-46702

Vulnerability from fkie_nvd - Published: 2026-06-10 22:17 - Updated: 2026-06-10 22:17

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Russh is a Rust SSH client \u0026 server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1."
    }
  ],
  "id": "CVE-2026-46702",
  "lastModified": "2026-06-10T22:17:00.580",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-10T22:17:00.580",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-WWX6-X28X-8259

Vulnerability from github – Published: 2026-05-29 19:37 – Updated: 2026-05-29 19:37

Summary

russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

Details

Summary

When SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected.

In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path.

In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse.

Details

The normal SSH transport read path enforces a packet-length limit before the packet body is read:

russh/src/cipher/mod.rs

However, RFC 4253 compression is applied to the SSH payload field only. The packet_length field and MAC are computed over the compressed payload, so a packet that is reasonably sized on the wire can still expand to a much larger message body after decompression.

In russh, compressed packet bodies are later decompressed in:

russh/src/compression.rs
russh/src/client/mod.rs
russh/src/server/session.rs

Before the fix, Decompress::decompress() grew its output buffer by repeated doubling and did not enforce a separate post-decompression ceiling. That meant a peer could send a small compressed packet that passed the normal on-wire transport length checks and then inflate it into a much larger packet after decompression.

It was verified that an attacker-crafted compressed payload can stay below the normal 256 KiB implementation transport packet cap while still inflating above the intended post-decompression bound. In other words, this is not only a "large on-wire packet" issue.

Version detail:

The underlying post-decompression bounds bug appears to affect russh as far back as 0.34.0.
In historical releases >= 0.34.0, < 0.58.0, the remote decompression path still used CryptoVec. Remote compressed SSH traffic could drive that path, and under constrained memory that historical code path could abort the process.
In current-style releases >= 0.58.0, non-secret packet/decompression buffers were moved off CryptoVec and onto Vec<u8>, but the post-decompression size still remained unbounded. So the bug class remained reachable remotely, but the maintained-line impact is a current remote DoS / oversized-packet-acceptance issue rather than the older CryptoVec-based abort story.
The maintained-line fix was verified against 0.60.2.

Compression is not selected in a default-vs-default russh session because the default preference order puts none first. However, the default server configuration still advertises zlib and zlib@openssh.com, and server-side negotiation follows the client's preference order for common algorithms. A client that prefers compression can therefore negotiate it with a default russh server.

OpenSSH portable was checked at /home/mjc/projects/openssh-portable commit 45b30e0a5. OpenSSH enforces a 256 KiB transport packet cap before decompression, but it does not reuse that cap after decompression. Instead, decompression writes to an sshbuf, which is indirectly bounded by OpenSSH's SSHBUF_SIZE_MAX hard maximum of 0x8000000 bytes (128 MiB).

The patch direction should follow that model: add an explicit post-decompression ceiling of 128 MiB, rather than assuming the compressed transport packet cap also bounds decompressed payload size.

Relevant OpenSSH reference points:

/home/mjc/projects/openssh-portable/packet.c: PACKET_MAX_SIZE (256 * 1024)
/home/mjc/projects/openssh-portable/packet.c: uncompress_buffer() inflates into compression_buffer
/home/mjc/projects/openssh-portable/sshbuf.h: SSHBUF_SIZE_MAX 0x8000000

RFC / OpenSSH Comparison

RFC 4253 section 6 defines the binary packet format:

packet_length
padding_length
payload
random padding
MAC

RFC 4253 section 6.2 says that, when compression is negotiated, the payload field is compressed, and that packet_length and MAC are computed from the compressed payload. The RFC also says implementations should check that packet length is reasonable to avoid denial-of-service and buffer-overflow attacks.

That means the pre-decompression transport packet length check is necessary but not sufficient. A correct implementation still needs a reasonable bound on the decompressed payload that becomes parser input.

OpenSSH provides such a bound indirectly through sshbuf's hard maximum. The russh fix should make the corresponding post-decompression bound explicit.

PoC

There were two kinds of proof:

a wire-cap sanity test showing an attacker-crafted best-compressed DEBUG payload can stay below the normal SSH transport packet cap while still inflating beyond the intended post-decompression bound
direct client and server receive-path tests that exercise the oversized post-decompression behavior itself

The current in-tree regression tests are:

tests::compress::oversized_debug_payload_can_stay_below_wire_cap
compression::tests::oversized_decompressed_packet_is_rejected
client::tests::compressed_debug_is_ignored_after_client_parses_it
client::tests::oversized_compressed_debug_is_rejected_before_client_ignores_it
server::session::tests::compressed_debug_is_ignored_after_server_parses_it
server::session::tests::oversized_compressed_debug_is_rejected_before_server_ignores_it

The important behavior is:

An attacker-crafted best-compressed DEBUG payload can stay below the normal 256 KiB transport packet cap while still inflating beyond 128 MiB.
In the direct client and server receive paths, small compressed DEBUG packets are still ignored normally after parsing.
In the direct client and server receive paths, oversized compressed DEBUG packets are rejected before the implementation reaches the normal "ignore DEBUG" behavior.

The strongest PoC for severity is the unauthenticated server-side case. A malicious client can choose zlib in the initial key exchange, because the default server advertises it and server-side negotiation follows the client's preference order for common algorithms. After NEWKEYS, but before authentication, the client can send a transport-layer SSH_MSG_DEBUG packet whose compressed body is below the transport packet cap but whose decompressed body exceeds the post-decompression cap.

That demonstrates the AV:N/AC:L/PR:N/UI:N case directly: the attacker is a remote SSH client and does not need a successfully authenticated session.

fn compressed_debug_payload(payload_len: usize) -> Vec<u8> {
    let mut payload = vec![b'A'; payload_len];
    payload[0] = crate::msg::DEBUG;

    let mut encoder =
        flate2::write::ZlibEncoder::new(Vec::new(), flate2::Compression::best());
    encoder.write_all(&payload).unwrap();
    let compressed = encoder.finish().unwrap();

    assert!(
        compressed.len() < 256 * 1024,
        "oversized post-decompression payload still fits under the wire cap"
    );
    compressed
}

fn incoming_packet(compressed: Vec<u8>) -> SSHBuffer {
    let mut buffer = SSHBuffer::new();
    // maybe_decompress() receives the clear SSHBuffer after packet framing,
    // and decompresses bytes after packet_length + padding_length.
    buffer.buffer.extend_from_slice(&[0; 5]);
    buffer.buffer.extend_from_slice(&compressed);
    buffer
}

#[test]
fn unauthenticated_client_zlib_debug_is_rejected_by_server_before_auth() {
    let mut server = preauth_server_session_after_newkeys_with_zlib_decompressor();
    let oversized = MAXIMUM_DECOMPRESSED_PACKET_LEN + 1024;
    let buffer = incoming_packet(compressed_debug_payload(oversized));

    let err = server.maybe_decompress(&buffer).unwrap_err();
    assert!(
        matches!(err, crate::Error::PacketSize(len) if len > MAXIMUM_DECOMPRESSED_PACKET_LEN)
    );
}

The equivalent wire-level attack shape is:

1. Connect to a russh server using the default compression advertisement.
2. Send SSH_MSG_KEXINIT with compression client-to-server preference:
   zlib,zlib@openssh.com,none
3. Complete key exchange and send SSH_MSG_NEWKEYS.
4. Before any SSH_MSG_USERAUTH_REQUEST, send a compressed SSH_MSG_DEBUG packet:
   - compressed packet body: < 256 KiB
   - decompressed packet body: > 128 MiB
5. Vulnerable behavior: russh accepts and inflates the packet, then reaches the
   normal DEBUG ignore path.
6. Fixed behavior: russh rejects during decompression with Error::PacketSize.

The direct receive-path client/server regression tests are still useful because they isolate the bug precisely. They construct the post-decryption compressed packet body passed to maybe_decompress() and prove that the oversized packet is rejected before normal DEBUG ignore handling. The server-side pre-auth variant above is the one that justifies the highest CVSS framing for this bug.

The most important targeted checks are:

cargo test -p russh oversized_debug_payload_can_stay_below_wire_cap -- --nocapture
cargo test -p russh oversized_compressed_debug_is_rejected_before_client_ignores_it -- --nocapture
cargo test -p russh oversized_compressed_debug_is_rejected_before_server_ignores_it -- --nocapture

Before the fix, both the direct client and direct server receive-path oversized checks went red because the compressed payload was accepted and decompressed instead of being rejected at the post-decompression boundary. After the fix, they pass.

Impact

Suggested CVSS v3.1 for current maintained releases:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Score: 7.5

Reasoning:

AV:N: reachable by a remote SSH peer
AC:L: straightforward once compression is enabled
PR:N, UI:N: no prior auth or user interaction required
C:N, I:N: confidentiality or integrity impact was not demonstrated
A:H: remote peer can cause oversized post-decompression packet processing and disconnect / denial of service

Affected versions:

historical stronger case: russh >= 0.34.0, < 0.58.0
current maintained remote DoS case: russh >= 0.58.0, including 0.60.3

Fix / Patch Direction

Add an explicit maximum decompressed SSH packet size and enforce it inside Decompress::decompress() before returning decompressed bytes to the client or server packet parser.

The intended ceiling is 128 MiB, matching OpenSSH portable's effective sshbuf hard maximum for post-decompression packet storage. The fix should reject decompression output larger than that bound with a packet-size error before normal message dispatch.

The fix should preserve normal compressed packet behavior below the cap, including DEBUG packets that are decompressed and then ignored through the existing normal path.

Patch branch:

fix/zlib-decompression-cap

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.34.0"
            },
            {
              "fixed": "0.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T19:37:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen SSH compression is enabled, `russh` accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected.\n\nIn current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path.\n\nIn older releases before `0.58.0`, the same remote decompression path used `CryptoVec`, which appears to make the historical impact worse.\n\n### Details\n\nThe normal SSH transport read path enforces a packet-length limit before the packet body is read:\n\n- `russh/src/cipher/mod.rs`\n\nHowever, RFC 4253 compression is applied to the SSH `payload` field only. The `packet_length` field and MAC are computed over the compressed payload, so a packet that is reasonably sized on the wire can still expand to a much larger message body after decompression.\n\nIn `russh`, compressed packet bodies are later decompressed in:\n\n- `russh/src/compression.rs`\n- `russh/src/client/mod.rs`\n- `russh/src/server/session.rs`\n\nBefore the fix, `Decompress::decompress()` grew its output buffer by repeated doubling and did not enforce a separate post-decompression ceiling. That meant a peer could send a small compressed packet that passed the normal on-wire transport length checks and then inflate it into a much larger packet after decompression.\n\nIt was verified that an attacker-crafted compressed payload can stay below the normal `256 KiB` implementation transport packet cap while still inflating above the intended post-decompression bound. In other words, this is not only a \"large on-wire packet\" issue.\n\nVersion detail:\n\n- The underlying post-decompression bounds bug appears to affect `russh` as far back as `0.34.0`.\n- In historical releases `\u003e= 0.34.0, \u003c 0.58.0`, the remote decompression path still used `CryptoVec`. Remote compressed SSH traffic could drive that path, and under constrained memory that historical code path could abort the process.\n- In current-style releases `\u003e= 0.58.0`, non-secret packet/decompression buffers were moved off `CryptoVec` and onto `Vec\u003cu8\u003e`, but the post-decompression size still remained unbounded. So the bug class remained reachable remotely, but the maintained-line impact is a current remote DoS / oversized-packet-acceptance issue rather than the older `CryptoVec`-based abort story.\n- The maintained-line fix was verified against `0.60.2`.\n\nCompression is not selected in a default-vs-default `russh` session because the default preference order puts `none` first. However, the default server configuration still advertises `zlib` and `zlib@openssh.com`, and server-side negotiation follows the client\u0027s preference order for common algorithms. A client that prefers compression can therefore negotiate it with a default `russh` server.\n\nOpenSSH portable was checked at `/home/mjc/projects/openssh-portable` commit `45b30e0a5`. OpenSSH enforces a `256 KiB` transport packet cap before decompression, but it does not reuse that cap after decompression. Instead, decompression writes to an `sshbuf`, which is indirectly bounded by OpenSSH\u0027s `SSHBUF_SIZE_MAX` hard maximum of `0x8000000` bytes (`128 MiB`).\n\nThe patch direction should follow that model: add an explicit post-decompression ceiling of `128 MiB`, rather than assuming the compressed transport packet cap also bounds decompressed payload size.\n\nRelevant OpenSSH reference points:\n\n- `/home/mjc/projects/openssh-portable/packet.c`: `PACKET_MAX_SIZE (256 * 1024)`\n- `/home/mjc/projects/openssh-portable/packet.c`: `uncompress_buffer()` inflates into `compression_buffer`\n- `/home/mjc/projects/openssh-portable/sshbuf.h`: `SSHBUF_SIZE_MAX 0x8000000`\n\n### RFC / OpenSSH Comparison\n\nRFC 4253 section 6 defines the binary packet format:\n\n- `packet_length`\n- `padding_length`\n- `payload`\n- random padding\n- MAC\n\nRFC 4253 section 6.2 says that, when compression is negotiated, the `payload` field is compressed, and that `packet_length` and MAC are computed from the compressed payload. The RFC also says implementations should check that packet length is reasonable to avoid denial-of-service and buffer-overflow attacks.\n\nThat means the pre-decompression transport packet length check is necessary but not sufficient. A correct implementation still needs a reasonable bound on the decompressed payload that becomes parser input.\n\nOpenSSH provides such a bound indirectly through `sshbuf`\u0027s hard maximum. The `russh` fix should make the corresponding post-decompression bound explicit.\n\n### PoC\n\nThere were two kinds of proof:\n\n- a wire-cap sanity test showing an attacker-crafted best-compressed `DEBUG` payload can stay below the normal SSH transport packet cap while still inflating beyond the intended post-decompression bound\n- direct client and server receive-path tests that exercise the oversized post-decompression behavior itself\n\nThe current in-tree regression tests are:\n\n- `tests::compress::oversized_debug_payload_can_stay_below_wire_cap`\n- `compression::tests::oversized_decompressed_packet_is_rejected`\n- `client::tests::compressed_debug_is_ignored_after_client_parses_it`\n- `client::tests::oversized_compressed_debug_is_rejected_before_client_ignores_it`\n- `server::session::tests::compressed_debug_is_ignored_after_server_parses_it`\n- `server::session::tests::oversized_compressed_debug_is_rejected_before_server_ignores_it`\n\nThe important behavior is:\n\n1. An attacker-crafted best-compressed `DEBUG` payload can stay below the normal `256 KiB` transport packet cap while still inflating beyond `128 MiB`.\n2. In the direct client and server receive paths, small compressed `DEBUG` packets are still ignored normally after parsing.\n3. In the direct client and server receive paths, oversized compressed `DEBUG` packets are rejected before the implementation reaches the normal \"ignore DEBUG\" behavior.\n\nThe strongest PoC for severity is the unauthenticated server-side case. A malicious client can choose `zlib` in the initial key exchange, because the default server advertises it and server-side negotiation follows the client\u0027s preference order for common algorithms. After `NEWKEYS`, but before authentication, the client can send a transport-layer `SSH_MSG_DEBUG` packet whose compressed body is below the transport packet cap but whose decompressed body exceeds the post-decompression cap.\n\nThat demonstrates the `AV:N/AC:L/PR:N/UI:N` case directly: the attacker is a remote SSH client and does not need a successfully authenticated session.\n\n```rust\nfn compressed_debug_payload(payload_len: usize) -\u003e Vec\u003cu8\u003e {\n    let mut payload = vec![b\u0027A\u0027; payload_len];\n    payload[0] = crate::msg::DEBUG;\n\n    let mut encoder =\n        flate2::write::ZlibEncoder::new(Vec::new(), flate2::Compression::best());\n    encoder.write_all(\u0026payload).unwrap();\n    let compressed = encoder.finish().unwrap();\n\n    assert!(\n        compressed.len() \u003c 256 * 1024,\n        \"oversized post-decompression payload still fits under the wire cap\"\n    );\n    compressed\n}\n\nfn incoming_packet(compressed: Vec\u003cu8\u003e) -\u003e SSHBuffer {\n    let mut buffer = SSHBuffer::new();\n    // maybe_decompress() receives the clear SSHBuffer after packet framing,\n    // and decompresses bytes after packet_length + padding_length.\n    buffer.buffer.extend_from_slice(\u0026[0; 5]);\n    buffer.buffer.extend_from_slice(\u0026compressed);\n    buffer\n}\n\n#[test]\nfn unauthenticated_client_zlib_debug_is_rejected_by_server_before_auth() {\n    let mut server = preauth_server_session_after_newkeys_with_zlib_decompressor();\n    let oversized = MAXIMUM_DECOMPRESSED_PACKET_LEN + 1024;\n    let buffer = incoming_packet(compressed_debug_payload(oversized));\n\n    let err = server.maybe_decompress(\u0026buffer).unwrap_err();\n    assert!(\n        matches!(err, crate::Error::PacketSize(len) if len \u003e MAXIMUM_DECOMPRESSED_PACKET_LEN)\n    );\n}\n```\n\nThe equivalent wire-level attack shape is:\n\n```text\n1. Connect to a russh server using the default compression advertisement.\n2. Send SSH_MSG_KEXINIT with compression client-to-server preference:\n   zlib,zlib@openssh.com,none\n3. Complete key exchange and send SSH_MSG_NEWKEYS.\n4. Before any SSH_MSG_USERAUTH_REQUEST, send a compressed SSH_MSG_DEBUG packet:\n   - compressed packet body: \u003c 256 KiB\n   - decompressed packet body: \u003e 128 MiB\n5. Vulnerable behavior: russh accepts and inflates the packet, then reaches the\n   normal DEBUG ignore path.\n6. Fixed behavior: russh rejects during decompression with Error::PacketSize.\n```\n\nThe direct receive-path client/server regression tests are still useful because they isolate the bug precisely. They construct the post-decryption compressed packet body passed to `maybe_decompress()` and prove that the oversized packet is rejected before normal `DEBUG` ignore handling. The server-side pre-auth variant above is the one that justifies the highest CVSS framing for this bug.\n\nThe most important targeted checks are:\n\n```bash\ncargo test -p russh oversized_debug_payload_can_stay_below_wire_cap -- --nocapture\ncargo test -p russh oversized_compressed_debug_is_rejected_before_client_ignores_it -- --nocapture\ncargo test -p russh oversized_compressed_debug_is_rejected_before_server_ignores_it -- --nocapture\n```\n\nBefore the fix, both the direct client and direct server receive-path oversized checks went red because the compressed payload was accepted and decompressed instead of being rejected at the post-decompression boundary. After the fix, they pass.\n\n### Impact\n\nSuggested CVSS v3.1 for current maintained releases:\n\n- `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`\n- Score: `7.5`\n\nReasoning:\n\n- `AV:N`: reachable by a remote SSH peer\n- `AC:L`: straightforward once compression is enabled\n- `PR:N`, `UI:N`: no prior auth or user interaction required\n- `C:N`, `I:N`: confidentiality or integrity impact was not demonstrated\n- `A:H`: remote peer can cause oversized post-decompression packet processing and disconnect / denial of service\n\nAffected versions:\n\n- historical stronger case: `russh \u003e= 0.34.0, \u003c 0.58.0`\n- current maintained remote DoS case: `russh \u003e= 0.58.0`, including `0.60.3`\n\n### Fix / Patch Direction\n\nAdd an explicit maximum decompressed SSH packet size and enforce it inside `Decompress::decompress()` before returning decompressed bytes to the client or server packet parser.\n\nThe intended ceiling is `128 MiB`, matching OpenSSH portable\u0027s effective `sshbuf` hard maximum for post-decompression packet storage. The fix should reject decompression output larger than that bound with a packet-size error before normal message dispatch.\n\nThe fix should preserve normal compressed packet behavior below the cap, including `DEBUG` packets that are decompressed and then ignored through the existing normal path.\n\nPatch branch:\n\n```text\nfix/zlib-decompression-cap\n```",
  "id": "GHSA-wwx6-x28x-8259",
  "modified": "2026-05-29T19:37:14Z",
  "published": "2026-05-29T19:37:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-wwx6-x28x-8259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Eugeny/russh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46702 (GCVE-0-2026-46702)

FKIE_CVE-2026-46702

GHSA-WWX6-X28X-8259

Summary

Details

RFC / OpenSSH Comparison

PoC

Impact

Fix / Patch Direction

Tags

Sightings

Nomenclature