Impact
The vulnerability arises when the Erlang/OTP ssl application accepts a TLS 1.3 ClientHello containing a pre‑shared key extension whose identity list and binder list have unequal lengths. Because the application forwards the mismatched lists directly to the session ticket handler, the handler crashes. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server that has session tickets enabled, causing the server to become unable to issue session tickets. Subsequent TLS 1.3 handshakes fail when the server attempts to issue a session ticket, effectively disabling TLS 1.3 on the affected listener until the ssl application is restarted. TLS 1.2 connections remain unaffected.
Affected Systems
The affected product is Erlang/OTP across multiple releases. Versions of OTP from 22.2 up through 28.5.0.3 and 27.3.4.14, inclusive, are impacted; the corresponding ssl libraries (ssl 9.5 before 11.7.3, 11.6.0.3, and 11.2.12.10) also contain the flaw. Any TLS 1.3 server running these versions with session tickets enabled is vulnerable.
Risk and Exploitability
The flaw has a CVSS score of 8.2 and is not listed in the CISA KEV catalogue. EPSS data is not available, but the vulnerability is exploitable from the network without authentication; an attacker only needs to send a malformed ClientHello. Once triggered, the crash forces a denial of service that lasts until the ssl application is restarted.
OpenCVE Enrichment