{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23943","assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","state":"PUBLISHED","assignerShortName":"EEF","dateReserved":"2026-01-19T14:23:14.343Z","datePublished":"2026-03-13T09:11:57.794Z","dateUpdated":"2026-04-07T14:38:05.652Z"},"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["ssh_transport"],"packageName":"ssh","packageURL":"pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git","product":"OTP","programFiles":["src/ssh_transport.erl"],"programRoutines":[{"name":"ssh_transport:decompress/2"},{"name":"ssh_transport:handle_packet_part/4"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"5.5.1","status":"unaffected"},{"at":"5.2.11.6","status":"unaffected"},{"at":"5.1.4.14","status":"unaffected"}],"lessThan":"*","status":"affected","version":"3.0.1","versionType":"otp"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["ssh_transport"],"packageName":"erlang/otp","packageURL":"pkg:github/erlang/otp","product":"OTP","programFiles":["lib/ssh/src/ssh_transport.erl"],"programRoutines":[{"name":"ssh_transport:decompress/2"},{"name":"ssh_transport:handle_packet_part/4"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"28.4.1","status":"unaffected"},{"at":"27.3.4.9","status":"unaffected"},{"at":"26.2.5.18","status":"unaffected"}],"lessThan":"*","status":"affected","version":"17.0","versionType":"otp"},{"changes":[{"at":"43a87b949bdff12d629a8c34146711d9da93b1b1","status":"unaffected"},{"at":"93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3","status":"unaffected"},{"at":"0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4","status":"unaffected"}],"lessThan":"*","status":"affected","version":"07b8f441ca711f9812fad9e9115bab3c3aa92f79","versionType":"git"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The SSH server or client must advertise zlib or zlib@openssh.com compression. Both are enabled by default. With zlib, the attack is pre-authentication; with zlib@openssh.com, authentication is required first."}],"value":"The SSH server or client must advertise zlib or zlib@openssh.com compression. Both are enabled by default. With zlib, the attack is pre-authentication; with zlib@openssh.com, authentication is required first."}],"credits":[{"lang":"en","type":"reporter","value":"Igor Morgenstern / Aisle Research"},{"lang":"en","type":"remediation developer","value":"Michał Wąsowski"},{"lang":"en","type":"remediation reviewer","value":"Jakub Witczak"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.

The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.

Two compression algorithms are affected:

Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.

This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.

"}],"value":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."}],"impacts":[{"capecId":"CAPEC-130","descriptions":[{"lang":"en","value":"CAPEC-130 Excessive Allocation"}]},{"capecId":"CAPEC-490","descriptions":[{"lang":"en","value":"CAPEC-490 Amplification"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":6.9,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-409","description":"CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF","dateUpdated":"2026-04-07T14:38:05.652Z"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-23943.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-23943"},{"tags":["x_version-scheme"],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"}],"source":{"discovery":"EXTERNAL"},"title":"Pre-auth SSH DoS via unbounded zlib inflate","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Best workaround - Disable all compression:

{preferred_algorithms, [{compression, ['none']}]}

Alternative mitigations (less secure):

"}],"value":"Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, ['none']}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n {modify_algorithms, [{rm, [{compression, ['zlib']}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n {max_sessions, N} % Cap total concurrent sessions (default is infinity)"}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-13T16:01:40.898658Z","id":"CVE-2026-23943","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-13T16:01:48.609Z"}}]}}