Denial of Service Vulnerability in Erlang OTP SSH Transport Layer
CVE-2026-23943

6.9MEDIUM

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-23943?

A vulnerability exists in the Erlang OTP SSH transport layer due to improper handling of highly compressed data, referred to as a compression bomb. This flaw allows attackers to exploit the SSH protocol's use of legacy zlib compression, leading to significant resource exhaustion via Denial of Service attacks. The SSH transport layer decompresses attacker-controlled payloads pre-authentication without any size limitation, risking memory depletion in affected environments. Both the zlib and zlib@openssh.com compression algorithms are vulnerable, with the former allowing unauthenticated attacks right after key exchange and the latter permitting authenticated attacks post-authentication. This can lead to rapid memory exhaustion, particularly in memory-constrained systems, as each SSH packet may inflate to approximately 255 MB from just 256 KB of wire data.

Affected Version(s)

OTP 3.0.1

OTP 17.0

OTP 07b8f441ca711f9812fad9e9115bab3c3aa92f79

References

https://github.com/erlang/otp/security/advisories/GHSA-c8...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-23943.html

https://osv.dev/vulnerability/EEF-CVE-2026-23943

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Igor Morgenstern / Aisle Research

Michał Wąsowski

Jakub Witczak

CVE-2026-23943 Data

JSON