CVE-2026-23943 - Vulnerability Details

Description

Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.

The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.

Two compression algorithms are affected:

* zlib: Activates immediately after key exchange, enabling unauthenticated attacks
* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks

Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.

This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.

Published: 2026-03-13

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper handling of highly compressed data (compression bomb) in Erlang OTP SSH, where the SSH transport layer inflates zlib packets before authentication without any size limit. This unbounded decompression allows an attacker to send a small compressed payload that expands to hundreds of megabytes, consuming server memory and causing an out‑of‑memory termination or prolonged unavailability. The weakness is classified as CWE‑409: Excessive Resource Consumption, directly leading to a denial‑of‑service impact without granting code execution or data exfiltration capabilities.

Affected Systems

OTP releases from 17.0 through 28.4.1, 27.3.4.9, and 26.2.5.18 (corresponding to SSH libraries 3.0.1 to 5.5.1, 5.2.11.6, and 5.1.4.14) are affected when using the default SSH configuration. All deployments of these OTP releases are vulnerable.

Risk and Exploitability

The CVSS score is 6.9 indicating moderate severity. EPSS indicates exploitation probability below 1%, and the vulnerability is not listed in the CISA KEV catalog. Exfiltration of data or code execution is not possible; the attack is limited to memory exhaustion. The likely attack vector is remote, unauthenticated via the pre‑authentication zlib compression algorithm on the SSH port. An attacker with network connectivity can repeatedly send compressed packets to de memory and induce a denial‑of‑service. Authenticated exploitation is also possible via the zlib@openssh.com algorithm, but the impact remains a service outage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Erlang

OTP

unknown

Version	Status	Constraints
`3.0.1`	affected	< *

Erlang

OTP

unknown

Version	Status	Constraints
`17.0`	affected	< *
`07b8f441ca711f9812fad9e9115bab3c3aa92f79`	affected	< *

No data.

Vendor Product Confidence Versions

Erlang

Erlang/otp

90%

Version	Status	Scheme	Platform
`[3.0.1,*]`	affected	semver	—
`[pkg:otp/ssh@3.0.1,pkg:otp/ssh@*]`	affected	generic	—
`[17.0,*]`	affected	semver	—
`[07b8f441ca711f9812fad9e9115bab3c3aa92f79,*]`	affected	code_commit	—

Erlang

Otp

100%

Version	Status	Scheme	Platform
`[3.0.1,*]`	affected	semver	—
`[pkg:otp/ssh@3.0.1,pkg:otp/ssh@*]`	affected	generic	—

Erlang

Otp

100%

Version	Status	Scheme	Platform
`[17.0,*]`	affected	semver	—
`[07b8f441ca711f9812fad9e9115bab3c3aa92f79,*]`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Best workaround - Disable all compression: {preferred_algorithms, [{compression, ['none']}]} Alternative mitigations (less secure): * Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com): {modify_algorithms, [{rm, [{compression, ['zlib']}]}]} * Limit concurrent sessions (reduces attack surface but does not prevent exploitation): {max_sessions, N} % Cap total concurrent sessions (default is infinity)

OpenCVE Recommended Actions

Disable all SSH compression by setting {preferred_algorithms, [{compression, ['none']}]}.
If disabling all compression is not feasible, disable only the pre‑authentication zlib compression: {modify_algorithms, [{rm, [{compression, ['zlib']}]}]}.
Limit the total number of concurrent SSH sessions with {max_sessions, N} to reduce the attack surface.

Generated by OpenCVE AI on March 19, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cna.erlef.org/cves/CVE-2026-23943.html
https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4
https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1
https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3
https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r
https://osv.dev/vulnerability/EEF-CVE-2026-23943
https://www.erlang.org/doc/system/versions.html#order-of-versions

History

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://cna.erlef.org/cves/CVE-2026-23943.html https://osv.dev/vulnerability/EEF-CVE-2026-23943

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Erlang erlang/otp Erlang otp
Vendors & Products		Erlang erlang/otp Erlang otp

Fri, 13 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * zlib@openssh.com: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Title		Pre-auth SSH DoS via unbounded zlib inflate
First Time appeared		Erlang Erlang erlang\/otp
Weaknesses		CWE-409
CPEs		cpe:2.3:a:erlang:erlang\/otp::::::::
Vendors & Products		Erlang Erlang erlang\/otp
References		https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4 https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1 https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3 https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r https://www.erlang.org/doc/system/versions.html#order-of-versions
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Erlang Erlang/otp Erlang\/otp Otp

MITRE

Status: PUBLISHED

Assigner: EEF

Published: 2026-03-13T09:11:57.794Z

Updated: 2026-04-06T16:44:10.203Z

Reserved: 2026-01-19T14:23:14.343Z

Link: CVE-2026-23943

Vulnrichment

Updated: 2026-03-13T16:01:44.722Z

NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:15.783

Modified: 2026-04-06T17:17:08.773

Link: CVE-2026-23943

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T09:59:34Z

Weaknesses

CWE-409

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object