Description
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process.

An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.

This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Published: 2026-07-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Erlang/OTP ssl application accepts a TLS 1.3 ClientHello containing a pre‑shared key extension whose identity list and binder list have unequal lengths. Because the application forwards the mismatched lists directly to the session ticket handler, the handler crashes. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server that has session tickets enabled, causing the server to become unable to issue session tickets. Subsequent TLS 1.3 handshakes fail when the server attempts to issue a session ticket, effectively disabling TLS 1.3 on the affected listener until the ssl application is restarted. TLS 1.2 connections remain unaffected.

Affected Systems

The affected product is Erlang/OTP across multiple releases. Versions of OTP from 22.2 up through 28.5.0.3 and 27.3.4.14, inclusive, are impacted; the corresponding ssl libraries (ssl 9.5 before 11.7.3, 11.6.0.3, and 11.2.12.10) also contain the flaw. Any TLS 1.3 server running these versions with session tickets enabled is vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 8.2 and is not listed in the CISA KEV catalogue. EPSS data is not available, but the vulnerability is exploitable from the network without authentication; an attacker only needs to send a malformed ClientHello. Once triggered, the crash forces a denial of service that lasts until the ssl application is restarted.

Generated by OpenCVE AI on July 3, 2026 at 10:09 UTC.

Remediation

Vendor Workaround

* Disable session tickets on TLS 1.3 servers by setting session_tickets to disabled in the server's ssl options. * Restrict the server to TLS 1.2 by setting versions to ['tlsv1.2'] in the server's ssl options.


OpenCVE Recommended Actions

  • Upgrade to Erlang/OTP 29.0.3 or later (and ssl 11.7.3 or later) which removes the length‑validation bug.
  • Disable session tickets in the ssl options by setting session_tickets to disabled if an upgrade cannot be performed immediately.
  • Restrict the server to TLS 1.2 by setting the versions option to ['tlsv1.2'] as a temporary mitigation.

Generated by OpenCVE AI on July 3, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Thu, 02 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Thu, 02 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected. This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Title TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-1284
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Erlang Erlang/otp Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-07-03T04:29:07.026Z

Reserved: 2026-06-17T17:55:15.686Z

Link: CVE-2026-55952

cve-icon Vulnrichment

Updated: 2026-07-02T17:28:12.551Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-02T16:06:08Z

Links: CVE-2026-55952 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T10:15:03Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input

  • CWE-130

    Improper Handling of Length Parameter Inconsistency