Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.

The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.

The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.

The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.

Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.

No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.

This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.

This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
Published: 2026-07-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Erlang/OTP's ssh_sftpd module arises from a catch‑all clause in handle_data/4 that accepts SSH_MSG_CHANNEL_EXTENDED_DATA of any type. When an authenticated SFTP client sends such a message with a non‑zero type code and a payload at or below the SFTP packet size limit, the clause recursively calls itself with identical arguments, creating an infinite tail‑recursive loop. The affected ssh_sftpd process never processes new messages, its message queue grows without bound, and it consumes all of its CPU time share, leading to unbounded memory usage and denial of service on the targeted SFTP channel. The flaw does not disclose credentials or file contents; the impact stops at service degradation and potential resource exhaustion.

Affected Systems

The flaw affects Erlang OTP releases from 17.0 up to and including 29.0.3, 28.5.0.3, and 27.3.4.14, which correspond to ssh versions 3.0.1 through 6.0.2, 5.5.2.2, and 5.2.11.9, respectively. Any deployment of these versions that exposes the ssh_sftpd module to authenticated SFTP users is susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, and the EPSS score is < 1%, indicating a very low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker requires only a valid SFTP session; the exploit is network‑based and authenticated, and can be executed repeatedly by opening additional shell sessions or maximizing the number of parallel channels. The attack can be amplified by the default max_channels option set to infinity, which allows unlimited channels per connection. The resulting denial of service can consume processor time and memory, potentially disrupting other services on the same Erlang node but does not grant broader privileges or disclose sensitive data.

Generated by OpenCVE AI on July 3, 2026 at 17:54 UTC.

Remediation

Vendor Workaround

* Set the max_channels daemon option to a finite value (e.g., {max_channels, 10}) to limit the number of channels an attacker can open per connection. * Set the max_sessions daemon option to limit total concurrent SSH connections to the daemon. * Use external process monitoring to detect and kill ssh_sftpd processes with abnormally high reduction counts and growing message queues. * Ensure that the SFTP server port is not reachable from untrusted machines.


OpenCVE Recommended Actions

  • Upgrade Erlang OTP to a release that fixes the issue (any OTP version newer than 29.0.3, 28.5.0.3, or 27.3.4.14)
  • Set the {max_channels, 10} daemon option to limit the number of channels an authenticated user can open per connection
  • Configure the {max_sessions, N} daemon option to restrict total concurrent SSH connections to the daemon
  • Use external process monitoring to detect and kill ssh_sftpd processes that accumulate a high reduction count or an unusually large message queue
  • Ensure the SFTP port is not reachable from untrusted networks

Generated by OpenCVE AI on July 3, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 02 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Thu, 02 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit. The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact. Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications. No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth. This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
Title SSH SFTP server denial of service via extended channel data infinite loop
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-400
CWE-835
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Erlang Erlang/otp Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-07-03T04:29:26.056Z

Reserved: 2026-06-16T10:47:13.914Z

Link: CVE-2026-54886

cve-icon Vulnrichment

Updated: 2026-07-02T17:27:27.846Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-02T16:06:20Z

Links: CVE-2026-54886 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T18:00:12Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')