Security Advisory - Published 2026-06-12 - SSH Library

Russh CVE-2026-48108: check Rust SSH services before they stall under connection pressure

CVE-2026-48108 affects Rust services built on russh from 0.34.0-beta.1 before 0.61.0. This is not the OpenSSH server package most Linux admins know. It matters when an application embeds russh to provide SSH-like access, tunneling, admin consoles, or custom protocol endpoints.

Defensive scope: this checklist covers dependency inventory, patching, connection limits, and logs for owned services. It does not include malformed SSH identification examples or testing against systems you do not operate.

Who should check

QuestionWhat to look for
Do you run OpenSSH?This CVE is about russh, not the normal OpenSSH daemon.
Do you ship a Rust SSH endpoint?Check Cargo.lock and the service image for russh.
Is it internet-facing?Prioritize public SSH-compatible endpoints and remote admin services.
What version is safe?Upgrade russh to 0.61.0 or newer.

Inventory checks

grep -R 'name = "russh"' Cargo.lock */Cargo.lock 2>/dev/null
cargo tree -i russh 2>/dev/null
docker images --format "{{.Repository}}:{{.Tag}}" | grep -Ei 'ssh|admin|gateway'

If the service is packaged in a container, check the source lockfile used for that image, not just the current repository. Old images can stay in production after the codebase has already moved on.

What to review after patching

  • Upgrade russh to 0.61.0 or a later fixed version and rebuild the service image.
  • Limit unauthenticated connection duration, concurrent handshakes, and per-IP connection count.
  • Review load balancer and service logs for connection spikes that never reach authentication.
  • Confirm health checks still distinguish a slow pre-authentication phase from a healthy SSH service.

Ping7 repair path

Ping7 can review exposed SSH-like services, Cargo dependency locks, container image versions, and post-patch connection behavior. Use CVE Repair when the service is public-facing or tied to production administration.

References