Infinite Loop Vulnerability in Erlang OTP SFTP Module
CVE-2026-54886

5.3MEDIUM

Key Information:

Vendor

Erlang

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-54886?

The Erlang OTP SFTP module is affected by a vulnerability that allows an authenticated SFTP user to cause a denial of service by triggering an infinite loop with non-standard channel data. When the handle_data/4 function is called with a non-zero type code while the pending buffer is empty, the function enters an infinite recursive loop. This results in the unresponsiveness of the SFTP channel as it consumes CPU resources and grows the message queue uncontrollably. Although the impact is limited to denial of service, the issue can be significantly amplified by the default configuration allowing unlimited channel openings per connection.

Affected Version(s)

OTP 3.0.1

OTP 17.0

OTP 84adefa3318eef8631bf25cd233246a86eea18cd

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lukas Backström
Michał Wąsowski
Jakub Witczak
.