CVE-2026-23943

EUVD-2026-11780
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.

The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.

Two compression algorithms are affected:

* zlib: Activates immediately after key exchange, enabling unauthenticated attacks
* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks

Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.

This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
erlangerlang/otp
17.0 ≤
𝑥
< 26.2.5.18
erlangerlang/otp
27.0 ≤
𝑥
< 27.3.4.9
erlangerlang/otp
28.0 ≤
𝑥
< 28.4.1
erlangerlang/ssh
3.0.1 ≤
𝑥
< 5.1.4.14
erlangerlang/ssh
5.2 ≤
𝑥
< 5.2.11.6
erlangerlang/ssh
5.5 ≤
𝑥
≤ 5.5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
erlang
bookworm
1:25.2.3+dfsg-1+deb12u4
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1:23.2.6+dfsg-1+deb11u4
fixed
forky
1:27.3.4.12+dfsg-1
fixed
sid
1:29.0.2+dfsg-1
fixed
trixie
1:27.3.4.1+dfsg-1+deb13u2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
erlang
suse enterprise sap 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP7
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP6
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP7
23.3.4.19-150300.3.32.1
fixed
erlang-epmd
suse enterprise sap 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP7
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP6
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP7
23.3.4.19-150300.3.32.1
fixed
erlang26
suse enterprise sap 15 SP7
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP6
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP7
26.2.1-150300.7.25.1
fixed
erlang26-epmd
suse enterprise sap 15 SP7
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP6
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP7
26.2.1-150300.7.25.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
erlang
Azure Linux 3.0
0:26.2.5.18-1.azl3
fixed
CBL-Mariner 2.0
0:25.3.2.21-5.cm2
fixed
Common Weakness Enumeration
References
https://cna.erlef.org/cves/CVE-2026-23943.html
https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4
https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1
https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3
https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r
https://osv.dev/vulnerability/EEF-CVE-2026-23943
https://www.erlang.org/doc/system/versions.html#order-of-versions