CVE-2026-48850

Vulnerability

PuTTY versions 0.72 through 0.83 [2] contain a double-free vulnerability in the implementation of the RSA key exchange method (RFC 4432). The bug resides in ssh_rsakex_freekey, which frees the entire RSA key structure. On an error handling path — specifically when the server sends an unexpectedly short RSA public key during the key exchange — the code subsequently also calls a generic free function on the outermost struct, resulting in a double-free [2]. The code path is reachable only when the server offers RSA kex, as PuTTY will use it if it is the only mutually supported method [2].

Exploitation

An attacker controlling an SSH server or in a Man-in-the-Middle (MITM) position can trigger the double-free without authentication [1][2]. The attacker must present RSA kex as the only key-exchange option in its KEXINIT message and then deliberately send an RSA public key that is shorter than expected [2]. This occurs before host key verification, so the attacker does not need to authenticate the server [2].

Impact

Successful exploitation causes a crash of the PuTTY client during SSH connection startup, resulting in a denial of service [1][2]. The advisory [2] states that no known way exists to exploit the double-free for code execution or to achieve a controllable effect beyond the crash.

Mitigation

The vulnerability is fixed in PuTTY version 0.84, released on 22 May 2026 [1][2]. Users should upgrade to 0.84 or later. There is no known workaround that does not require a patch; users cannot disable RSA kex through configuration. Versions earlier than 0.72 are not affected, and the fix is not listed in KEV.