Denial of Service Vulnerability in Erlang OTP SSH Transport Layer
CVE-2026-23943

6.9MEDIUM

Key Information:

Vendor

Erlang

Status
Otp
Vendor
CVE Published:
13 March 2026

What is CVE-2026-23943?

A vulnerability exists in the Erlang OTP SSH transport layer due to improper handling of highly compressed data, referred to as a compression bomb. This flaw allows attackers to exploit the SSH protocol's use of legacy zlib compression, leading to significant resource exhaustion via Denial of Service attacks. The SSH transport layer decompresses attacker-controlled payloads pre-authentication without any size limitation, risking memory depletion in affected environments. Both the zlib and zlib@openssh.com compression algorithms are vulnerable, with the former allowing unauthenticated attacks right after key exchange and the latter permitting authenticated attacks post-authentication. This can lead to rapid memory exhaustion, particularly in memory-constrained systems, as each SSH packet may inflate to approximately 255 MB from just 256 KB of wire data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OTP 3.0.1

OTP pkg:otp/ssh@3.0.1

OTP 17.0

References

https://github.com/erlang/otp/security/advisories/GHSA-c8...
vendor-advisory
https://www.erlang.org/doc/system/versions.html#order-of-...
x_version-scheme
https://github.com/erlang/otp/commit/43a87b949bdff12d629a...
patch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Igor Morgenstern / Aisle Research
Michał Wąsowski
Jakub Witczak
JSON
.