CVE-2026-23943
Compression Bomb DoS in Erlang OTP ssh_transport Module
Publication date: 2026-03-13
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erlang | otp | From 17.0 (inc) to 28.4.1 (inc) |
| erlang | ssh | From 3.0.1 (inc) to 5.5.1 (inc) |
| erlang | otp | to 28.4.1 (inc) |
| erlang | otp | 27.3.4.9 |
| erlang | otp | 26.2.5.18 |
| erlang | ssh | to 5.5.1 (inc) |
| erlang | ssh | 5.2.11.6 |
| erlang | ssh | 5.1.4.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23943 is a vulnerability in the Erlang OTP SSH component caused by improper handling of highly compressed data, also known as a compression bomb. The SSH transport layer uses legacy zlib compression by default and decompresses attacker-controlled payloads before authentication without any size limit. This allows attackers to send specially crafted compressed packets that decompress to very large sizes, leading to excessive memory consumption.
Two compression algorithms are affected: zlib, which activates immediately after key exchange allowing unauthenticated attacks, and [email protected], which activates post-authentication allowing authenticated attacks. Each SSH packet can decompress approximately 255 MB from just 256 KB of compressed data, resulting in a high amplification ratio. Multiple such packets can quickly exhaust system memory, causing denial of service (DoS) by crashing SSH clients or servers, especially in memory-constrained environments.
The vulnerability arises because there is no upper bound on the size of decompressed data, enabling attackers to cause resource depletion. No privileges or user interaction are required to exploit this network-based vulnerability.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service (DoS) conditions on systems running vulnerable versions of Erlang OTP SSH. Attackers can send compressed SSH packets that decompress to very large sizes, consuming excessive memory and potentially crashing SSH servers or clients.
In memory-constrained environments, this can lead to out-of-memory (OOM) kills or system instability. The attack can be performed without authentication and requires no user interaction, making it easy to exploit remotely over the network.
The impact is limited to availability, meaning it disrupts service but does not affect confidentiality or integrity of data.
Mitigations include disabling zlib compression by default, enforcing strict limits on decompressed data size, and disconnecting clients that exceed these limits to prevent resource exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring SSH traffic for the use of zlib compression algorithms, especially the legacy 'zlib' compression activated pre-authentication and '[email protected]' post-authentication. Since the vulnerability exploits highly compressed SSH packets that decompress to very large sizes, unusual memory consumption or out-of-memory (OOM) events on SSH servers or clients can be indicators."}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, you can check SSH server configuration and logs for compression settings and errors related to decompression size limits or disconnects with messages like "Bad packet: Size after decompression exceeds max size."'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, general approaches include:'}, {'type': 'list_item', 'content': 'Review SSH server configuration files (e.g., sshd_config) to check if zlib compression is enabled.'}, {'type': 'list_item', 'content': 'Monitor system logs (e.g., /var/log/auth.log or journalctl) for SSH disconnect messages related to decompression errors.'}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump, Wireshark) to analyze SSH traffic for compression negotiation and unusually large decompressed payloads.'}, {'type': 'list_item', 'content': 'Monitor system memory usage and OOM events correlated with SSH connections.'}] [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on disabling or limiting the use of zlib compression in the Erlang/OTP SSH server to prevent unbounded decompression and resource exhaustion.'}, {'type': 'list_item', 'content': "Disable zlib compression by default in the SSH server configuration to reduce the attack surface, especially the legacy 'zlib' compression that activates pre-authentication."}, {'type': 'list_item', 'content': 'Enforce strict upper bounds on decompressed data size to prevent excessive memory consumption; patched versions implement this by disconnecting clients that exceed size limits.'}, {'type': 'list_item', 'content': 'Upgrade Erlang/OTP and SSH components to patched versions that include these mitigations: OTP releases 28.4.1, 27.3.4.9, and 26.2.5.18, or SSH versions 5.5.1, 5.2.11.6, and 5.1.4.14.'}, {'type': 'list_item', 'content': 'Limit the number of concurrent SSH sessions (max_sessions) when compression is enabled to reduce resource exhaustion risk.'}, {'type': 'list_item', 'content': 'Review and update SSH hardening guides and documentation to avoid using unsafe compression algorithms and to apply recommended security configurations.'}] [2, 3, 4, 1]