CVE-2026-54886
Awaiting Analysis Awaiting Analysis - Queue

Infinite Loop in Erlang OTP SSH SFTP Channel

Vulnerability report for CVE-2026-54886, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: EEF

Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit. The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact. Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications. No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth. This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
erlang otp From 17.0 (inc) to 29.0.3 (inc)
erlang ssh From 3.0.1 (inc) to 6.0.2 (inc)
erlang ssh From 5.5.2.2 (inc)
erlang ssh From 5.2.11.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an infinite loop issue in the Erlang OTP SSH SFTP server, specifically in the ssh_sftpd module's handle_data/4 function. When an authenticated SFTP user sends extended channel data (with a non-zero type code) that is not normally used by the SFTP protocol, the function enters an infinite tail-recursive loop. This happens because the function processes any channel data type without properly handling extended data, causing it to repeatedly call itself with the same arguments.

As a result, the targeted SFTP channel becomes permanently unresponsive, the message queue grows without bound, and the process consumes CPU and memory continuously. The vulnerability affects Erlang/OTP versions from 17.0 up to 29.0.3 and related ssh versions.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) on targeted SFTP channels. An authenticated user can cause an SFTP channel to become permanently unresponsive by triggering an infinite loop in the ssh_sftpd process.

Secondary impacts include continuous CPU usage by the affected process and unbounded growth of its message queue memory, which can degrade system performance. Opening multiple channels amplifies these effects, potentially leading to significant CPU and memory resource consumption.

Importantly, this vulnerability does not allow access to file contents, credentials, or write access. The denial of service is limited to the affected SFTP channels.

Detection Guidance

This vulnerability causes the ssh_sftpd process handling an SFTP channel to enter an infinite loop, making the channel permanently unresponsive. Detection can focus on monitoring for unusually high CPU usage and growing message queue sizes in ssh_sftpd processes.

You can detect the issue by monitoring Erlang processes related to ssh_sftpd for abnormal CPU consumption and memory growth. Additionally, monitoring the number of open SFTP channels and their responsiveness can help identify affected channels.

Specific commands depend on your environment, but general suggestions include:

  • Use system tools like `top` or `htop` to identify ssh_sftpd processes consuming excessive CPU.
  • Use Erlang's observer or remote shell to inspect the message queue length of ssh_sftpd channel processes.
  • Check logs for SFTP channel hangs or unresponsiveness.
  • Monitor network traffic for unusual extended data packets (SSH_MSG_CHANNEL_EXTENDED_DATA) sent by authenticated SFTP clients, which are not typical in conforming clients.
Mitigation Strategies

Immediate mitigation steps include limiting the number of channels and sessions per SSH connection to reduce the attack surface.

  • Configure the SSH server to limit max_channels to a finite number instead of the default infinity.
  • Set max_sessions to restrict the number of concurrent SSH sessions.
  • Monitor ssh_sftpd processes for abnormal CPU and memory usage and kill any processes that appear stuck or unresponsive.
  • Restrict access to the SFTP server port from untrusted networks to reduce exposure.

Applying patches from updated Erlang/OTP versions (29.0.3, 28.5.0.3, or 27.3.4.14 and later) that fix this vulnerability is the definitive solution.

Compliance Impact

This vulnerability causes a denial of service (DoS) condition on targeted SFTP channels, leading to CPU degradation and memory growth. However, it does not allow access to file contents, credentials, or write access.

Since no sensitive data is exposed or compromised, the vulnerability primarily impacts availability rather than confidentiality or integrity.

Therefore, while the DoS condition could affect service availability requirements under standards like GDPR or HIPAA, it does not directly result in data breaches or unauthorized data access that would violate these regulations.

Organizations relying on Erlang OTP SSH SFTP servers should consider the potential impact on availability controls and implement mitigations such as limiting channels, restricting access, and monitoring processes to maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54886. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart