Time-of-Check Time-of-Use Race Condition in Erlang/OTP DTLS Servers
CVE-2026-55950
8.7HIGH
What is CVE-2026-55950?
A vulnerability exists in the DTLS server listener of Erlang/OTP due to a time-of-check time-of-use (TOCTOU) race condition in the dtls_packet_demux module. This flaw allows an unauthenticated remote attacker to exploit the demux's key-value store by rapidly sending multiple ClientHello messages from the same source, leading to a crash of the shared dtls_packet_demux process. Consequently, this crash affects all active DTLS sessions on the listener, causing a denial of service to all clients without the need for authentication or specific configurations.
Affected Version(s)
OTP 10.9
OTP 25.3
OTP 44dcb4c3d900777493ce2a6129f451aa475811f9
References
CVSS V4
Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lukas Backström
Ingela Anderton Andin
Dan Gudmundsson
