Time-of-Check Time-of-Use Race Condition in Erlang/OTP DTLS Servers
CVE-2026-55950

8.7HIGH

Key Information:

Vendor

Erlang

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-55950?

A vulnerability exists in the DTLS server listener of Erlang/OTP due to a time-of-check time-of-use (TOCTOU) race condition in the dtls_packet_demux module. This flaw allows an unauthenticated remote attacker to exploit the demux's key-value store by rapidly sending multiple ClientHello messages from the same source, leading to a crash of the shared dtls_packet_demux process. Consequently, this crash affects all active DTLS sessions on the listener, causing a denial of service to all clients without the need for authentication or specific configurations.

Affected Version(s)

OTP 10.9

OTP 25.3

OTP 44dcb4c3d900777493ce2a6129f451aa475811f9

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lukas Backström
Ingela Anderton Andin
Dan Gudmundsson
.