CVE-2026-23943
Analyzed Analyzed - Analysis Complete
Compression Bomb DoS in Erlang OTP ssh_transport Module

Publication date: 2026-03-13

Last updated on: 2026-05-21

Assigner: EEF

Description
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * [email protected]: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23943
EUVD
EUVD-2026-11780
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
erlang erlang/otp From 17.0 (inc) to 26.2.5.18 (exc)
erlang erlang/otp From 27.0 (inc) to 27.3.4.9 (exc)
erlang erlang/otp From 28.0 (inc) to 28.4.1 (exc)
erlang erlang/ssh From 3.0.1 (inc) to 5.1.4.14 (exc)
erlang erlang/ssh From 5.2 (inc) to 5.2.11.6 (exc)
erlang erlang/ssh From 5.5 (inc) to 5.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23943 is a vulnerability in the Erlang OTP SSH component caused by improper handling of highly compressed data, also known as a compression bomb. The SSH transport layer uses legacy zlib compression by default and decompresses attacker-controlled payloads before authentication without any size limit. This allows attackers to send specially crafted compressed packets that decompress to very large sizes, leading to excessive memory consumption.

Two compression algorithms are affected: zlib, which activates immediately after key exchange allowing unauthenticated attacks, and [email protected], which activates post-authentication allowing authenticated attacks. Each SSH packet can decompress approximately 255 MB from just 256 KB of compressed data, resulting in a high amplification ratio. Multiple such packets can quickly exhaust system memory, causing denial of service (DoS) by crashing SSH clients or servers, especially in memory-constrained environments.

The vulnerability arises because there is no upper bound on the size of decompressed data, enabling attackers to cause resource depletion. No privileges or user interaction are required to exploit this network-based vulnerability.

Impact Analysis

This vulnerability can impact you by causing denial of service (DoS) conditions on systems running vulnerable versions of Erlang OTP SSH. Attackers can send compressed SSH packets that decompress to very large sizes, consuming excessive memory and potentially crashing SSH servers or clients.

In memory-constrained environments, this can lead to out-of-memory (OOM) kills or system instability. The attack can be performed without authentication and requires no user interaction, making it easy to exploit remotely over the network.

The impact is limited to availability, meaning it disrupts service but does not affect confidentiality or integrity of data.

Mitigations include disabling zlib compression by default, enforcing strict limits on decompressed data size, and disconnecting clients that exceed these limits to prevent resource exhaustion.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring SSH traffic for the use of zlib compression algorithms, especially the legacy 'zlib' compression activated pre-authentication and '[email protected]' post-authentication. Since the vulnerability exploits highly compressed SSH packets that decompress to very large sizes, unusual memory consumption or out-of-memory (OOM) events on SSH servers or clients can be indicators."}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, you can check SSH server configuration and logs for compression settings and errors related to decompression size limits or disconnects with messages like "Bad packet: Size after decompression exceeds max size."'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, general approaches include:'}, {'type': 'list_item', 'content': 'Review SSH server configuration files (e.g., sshd_config) to check if zlib compression is enabled.'}, {'type': 'list_item', 'content': 'Monitor system logs (e.g., /var/log/auth.log or journalctl) for SSH disconnect messages related to decompression errors.'}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump, Wireshark) to analyze SSH traffic for compression negotiation and unusually large decompressed payloads.'}, {'type': 'list_item', 'content': 'Monitor system memory usage and OOM events correlated with SSH connections.'}] [1, 2, 3, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on disabling or limiting the use of zlib compression in the Erlang/OTP SSH server to prevent unbounded decompression and resource exhaustion.'}, {'type': 'list_item', 'content': "Disable zlib compression by default in the SSH server configuration to reduce the attack surface, especially the legacy 'zlib' compression that activates pre-authentication."}, {'type': 'list_item', 'content': 'Enforce strict upper bounds on decompressed data size to prevent excessive memory consumption; patched versions implement this by disconnecting clients that exceed size limits.'}, {'type': 'list_item', 'content': 'Upgrade Erlang/OTP and SSH components to patched versions that include these mitigations: OTP releases 28.4.1, 27.3.4.9, and 26.2.5.18, or SSH versions 5.5.1, 5.2.11.6, and 5.1.4.14.'}, {'type': 'list_item', 'content': 'Limit the number of concurrent SSH sessions (max_sessions) when compression is enabled to reduce resource exhaustion risk.'}, {'type': 'list_item', 'content': 'Review and update SSH hardening guides and documentation to avoid using unsafe compression algorithms and to apply recommended security configurations.'}] [2, 3, 4, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart