CVE-2026-23943

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.4.1 Erlang OTP versions 26.2.5.18 through 27.3.4.9

Description An issue exists in Erlang OTP ssh (ssh transport modules) that allows for Denial of Service via Resource Depletion. The SSH transport layer, by default, advertises legacy zlib compression and inflates attacker-controlled payloads without a size limit before authentication. This enables a reliable memory exhaustion attack. Two compression algorithms are affected: zlib, which activates immediately after key exchange, and zlib@openssh.com, which activates post-authentication. Each SSH packet can decompress approximately 255 MB from 256 KB of data, resulting in a 1029:1 amplification ratio. Multiple packets can quickly exhaust available memory, potentially causing Out-Of-Memory (OOM) kills in environments with limited memory. The issue is associated with the ssh transport.erl file and the ssh transport:decompress/2 and ssh transport:handle packet part/4 routines.

Recommendations Update Erlang OTP to a version later than 28.4.1. Update Erlang OTP to a version later than 27.3.4.9.