CVE-2025-30211

EUVD-2025-14809
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Debian logo
Debian Releases
Debian Product
Codename
erlang
bookworm
1:25.2.3+dfsg-1+deb12u4
fixed
bookworm (security)
1:25.2.3+dfsg-1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1:23.2.6+dfsg-1+deb11u4
fixed
forky
1:27.3.4.12+dfsg-1
fixed
sid
1:27.3.4.12+dfsg-1
fixed
trixie
1:27.3.4.1+dfsg-1+deb13u2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
erlang
suse enterprise server 15 SP2
22.2.7-150200.3.13.1
fixed
erlang-epmd
suse enterprise server 15 SP2
22.2.7-150200.3.13.1
fixed
erlang26
suse enterprise sap 15 SP6
26.2.1-150300.7.11.1
fixed
suse enterprise sap 15 SP7
26.2.1-150300.7.11.1
fixed
suse enterprise server 15 SP6
26.2.1-150300.7.11.1
fixed
suse enterprise server 15 SP7
26.2.1-150300.7.11.1
fixed
erlang26-epmd
suse enterprise sap 15 SP6
26.2.1-150300.7.11.1
fixed
suse enterprise sap 15 SP7
26.2.1-150300.7.11.1
fixed
suse enterprise server 15 SP6
26.2.1-150300.7.11.1
fixed
suse enterprise server 15 SP7
26.2.1-150300.7.11.1
fixed
Common Weakness Enumeration
References
https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc
https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html