Impact
The vulnerability in Erlang/OTP's ssh_sftpd module arises from a catch‑all clause in handle_data/4 that accepts SSH_MSG_CHANNEL_EXTENDED_DATA of any type. When an authenticated SFTP client sends such a message with a non‑zero type code and a payload at or below the SFTP packet size limit, the clause recursively calls itself with identical arguments, creating an infinite tail‑recursive loop. The affected ssh_sftpd process never processes new messages, its message queue grows without bound, and it consumes all of its CPU time share, leading to unbounded memory usage and denial of service on the targeted SFTP channel. The flaw does not disclose credentials or file contents; the impact stops at service degradation and potential resource exhaustion.
Affected Systems
The flaw affects Erlang OTP releases from 17.0 up to and including 29.0.3, 28.5.0.3, and 27.3.4.14, which correspond to ssh versions 3.0.1 through 6.0.2, 5.5.2.2, and 5.2.11.9, respectively. Any deployment of these versions that exposes the ssh_sftpd module to authenticated SFTP users is susceptible.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity, and the EPSS score is < 1%, indicating a very low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker requires only a valid SFTP session; the exploit is network‑based and authenticated, and can be executed repeatedly by opening additional shell sessions or maximizing the number of parallel channels. The attack can be amplified by the default max_channels option set to infinity, which allows unlimited channels per connection. The resulting denial of service can consume processor time and memory, potentially disrupting other services on the same Erlang node but does not grant broader privileges or disclose sensitive data.
OpenCVE Enrichment