Description
Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.

On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.

This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3.

This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Published: 2026-07-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DTLS server in Erlang/OTP initializes the cookie secret with an empty key during startup, making the cookie computation deterministic; an attacker who observes the plaintext ClientHello can compute a valid cookie before the server rotates the secret, bypassing the source address verification intended to mitigate spoofed clients and force state allocation and cryptographic work; this flaw is a default cryptographic key issue identified as CWE‑1394.

Affected Systems

The vulnerability affects Erlang/OTP releases 20.0 through 28.5 and 27.3; the affected ssl module versions are 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10, until the firmware is updated to a fixed release such as OTP 29.0.3 or later.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity; the vulnerability is not listed in the CISA KEV catalogue, so the current public exploitation probability is unclear; however, the 0–15 second startup window provides a narrow but exploitable period for forging a valid DTLS cookie, enabling source address verification bypass and potentially leading to DTLS handshake amplification and resource exhaustion or denial of service; the flaw does not enable arbitrary code execution or data exfiltration but can degrade service availability and increase network traffic.

Generated by OpenCVE AI on July 3, 2026 at 10:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Erlang/OTP to release 29.0.3 or later, which contains a patch that initializes the cookie secret with a non‑empty random value.
  • Install the corresponding updated ssl module (8.2 or later) to ensure the DTLS cookie rotation logic uses a secure key.
  • If an upgrade cannot be performed immediately, restrict inbound DTLS traffic to trusted networks or rate‑limit connections to mitigate the amplification attack during the startup window.

Generated by OpenCVE AI on July 3, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Vendors & Products Erlang erlang/otp

Thu, 02 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses. This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3. This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Title DTLS server cookie bypass during startup window due to empty initial cookie secret
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-1394
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Erlang Erlang/otp Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-07-03T04:29:00.191Z

Reserved: 2026-06-16T10:47:13.915Z

Link: CVE-2026-54887

cve-icon Vulnrichment

Updated: 2026-07-02T17:28:40.366Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T10:15:03Z

Weaknesses
  • CWE-1394

    Use of Default Cryptographic Key