[Pkg-erlang-devel] Bug#1141414: erlang: CVE-2026-53422 CVE-2026-54886 CVE-2026-54887 CVE-2026-54891 CVE-2026-55950 CVE-2026-55952
Salvatore Bonaccorso
carnil at debian.org
Sat Jul 4 10:01:04 BST 2026
Source: erlang
Version: 1:29.0.2+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for erlang.
CVE-2026-53422[0]:
| Observable Response Discrepancy vulnerability in Erlang OTP ssh
| (ssh_sftpd module) allows an authenticated SFTP user to enumerate
| the existence of files and directories outside the configured root
| directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls
| relate_file_name/3 with Canonicalize=false, unlike every other SFTP
| operation handler. This allows .. components in the requested path
| to bypass the is_within_root/2 check without being resolved. The un-
| canonicalized path then enters resolve_symlinks/2, which walks up
| the directory tree above the configured root and issues read_link()
| syscalls on arbitrary filesystem paths. An authenticated SFTP
| client can exploit this by sending a REALPATH request with a crafted
| traversal path. The server response differs depending on whether the
| target path exists on the host filesystem (SSH_FXP_NAME when the
| path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not).
| This creates a path-existence oracle that an attacker can use to
| enumerate the filesystem structure outside the configured root,
| including the existence of sensitive files, directories, and mount
| points. The vulnerability leaks only the existence of paths. No
| file contents, credentials, or write access are obtainable through
| this issue alone. The information gained may assist further attacks
| when combined with other vulnerabilities. This vulnerability is
| associated with program files lib/ssh/src/ssh_sftpd.erl and program
| routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0
| until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from
| 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
CVE-2026-54886[1]:
| Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability
| in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP
| user to render an SFTP channel permanently unresponsive. The
| handle_data/4 function in ssh_sftpd contains a catch-all clause that
| accepts channel data of any type. When channel data with a non-zero
| type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty
| pending buffer and a payload at or below the SFTP packet size limit,
| the clause tail-calls itself with identical arguments, creating an
| infinite loop. The SFTP protocol operates exclusively on normal
| channel data (type 0). Extended data (non-zero type) is meaningless
| for SFTP and is never sent by conforming clients. However, the SSH
| protocol permits any channel participant to send extended data on an
| open channel, so an authenticated SFTP client can trigger the loop
| by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and
| any non-empty payload at or below the size limit. The targeted
| ssh_sftpd process enters an infinite tail-recursive loop. It never
| processes another message, its message queue grows without bound,
| and it can only be stopped by killing the process. BEAM's reduction-
| based scheduler preemption continues to function, so other processes
| on the node are not starved, but each stuck channel process consumes
| its full CPU time share continuously and accumulates unbounded
| message queue memory. Opening many channels amplifies the CPU and
| memory impact. Erlang/OTP SSH configurations using the default
| max_channels setting (infinity) allow an authenticated user to open
| unlimited channels per connection, amplifying the attack without
| requiring multiple TCP connections or authentications. No file
| contents, credentials, or write access are obtainable through this
| issue. The impact is limited to denial of service on targeted SFTP
| channels, with secondary CPU degradation and memory growth. This
| vulnerability is associated with program file
| lib/ssh/src/ssh_sftpd.erl and program routine
| ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until
| OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1
| until 6.0.2, 5.5.2.2, and 5.2.11.9.
CVE-2026-54887[2]:
| Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl
| (DTLS server) allows predictable DTLS cookie computation during the
| startup window, enabling source address verification bypass. On
| DTLS server startup, dtls_server_connection:initial_hello/3
| initializes previous_cookie_secret to the empty binary (<<>>)
| instead of a random value. Because HMAC with an empty key is
| deterministic, anyone who observes the plaintext ClientHello can
| compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a
| valid DTLS cookie before the first rotation of the cookie secret.
| The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation
| that prevents spoofed source IPs from forcing the server to allocate
| state and perform expensive cryptographic operations; it is not an
| authentication mechanism. During the window from server startup
| until the first secret rotation (0 to 15 seconds), an attacker who
| can observe the plaintext ClientHello can bypass the source address
| verification, enabling DTLS handshake amplification with spoofed
| source addresses. This vulnerability is associated with program
| file lib/ssl/src/dtls_server_connection.erl and program routine
| dtls_server_connection:initial_hello/3. This issue affects OTP from
| OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl
| from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
CVE-2026-54891[3]:
| Improper Enforcement of Message Integrity During Transmission in a
| Communication Channel vulnerability in Erlang/OTP ssl
| (tls_gen_connection module) allows a network-positioned attacker to
| inject unauthenticated plaintext that the TLS client application
| later treats as authenticated server data. The function
| tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA
| records that arrive in pre-handshake states when the TLS endpoint
| acts as a server, but does not apply the same check when the
| endpoint acts as a client. A network-positioned attacker can send
| plaintext APPLICATION_DATA records to the client during the
| handshake. The records are buffered and, once the handshake
| completes successfully, delivered to the application as if they were
| authenticated post-handshake data. The attacker cannot observe the
| client's response or steer the connection, so the impact is limited
| to blind injection of unauthenticated bytes. The injection window is
| wider for TLS versions prior to TLS 1.3 than for TLS 1.3. This
| vulnerability is associated with program file
| lib/ssl/src/tls_gen_connection.erl. This issue affects OTP from OTP
| 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from
| 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected
| starting with OTP 22.0, when TLS 1.3 support was added.
CVE-2026-55950[4]:
| Time-of-check Time-of-use (TOCTOU) race condition vulnerability in
| Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated
| remote attacker to crash all active DTLS sessions on a listener. A
| DTLS server listener uses a single shared dtls_packet_demux
| gen_server process to route incoming UDP datagrams to the correct
| connection handler. When a DTLS client reconnects rapidly from the
| same source address and port (sending multiple ClientHello messages
| in quick succession), a race condition in the demux's internal
| gb_trees key-value store causes a {key_exists, {old, Client}} crash,
| terminating the demux process. Because the demux is shared across
| all DTLS associations on that listener, its crash immediately kills
| every active DTLS session, not just the attacker's. The attack is
| pre-authentication: the attacker only needs to send UDP datagrams
| containing valid ClientHello messages from the same source IP and
| port before the intermediate DOWN monitor message is processed by
| the gen_server. No credentials, no completed handshake, and no
| special configuration are required, and the crash can be repeated
| indefinitely to create a persistent denial of service for all
| clients of that listener. This vulnerability is associated with
| program file lib/ssl/src/dtls_packet_demux.erl. This issue affects
| OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14
| corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and
| 11.2.12.10.
CVE-2026-55952[5]:
| The Erlang/OTP ssl application does not validate that the PSK
| identity list and binder list carried in a TLS 1.3 ClientHello pre-
| shared key extension have equal length before passing them to the
| session ticket handler. In
| tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys
| record with a mismatched number of identities and binders is
| forwarded directly to tls_server_session_ticket:use/4, which crashes
| the session ticket handler process. An unauthenticated remote
| attacker can send a single crafted ClientHello to a TLS 1.3 server
| with session tickets enabled (stateful or stateless mode) and
| permanently disrupt session ticket handling on that listener. New
| TLS 1.3 handshakes complete but subsequently crash when the server
| attempts to issue a session ticket, effectively making TLS 1.3
| unusable on the affected listener until the ssl application is
| restarted. TLS 1.2 connections are not affected. This issue affects
| OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to
| ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-53422
https://www.cve.org/CVERecord?id=CVE-2026-53422
[1] https://security-tracker.debian.org/tracker/CVE-2026-54886
https://www.cve.org/CVERecord?id=CVE-2026-54886
[2] https://security-tracker.debian.org/tracker/CVE-2026-54887
https://www.cve.org/CVERecord?id=CVE-2026-54887
[3] https://security-tracker.debian.org/tracker/CVE-2026-54891
https://www.cve.org/CVERecord?id=CVE-2026-54891
[4] https://security-tracker.debian.org/tracker/CVE-2026-55950
https://www.cve.org/CVERecord?id=CVE-2026-55950
[5] https://security-tracker.debian.org/tracker/CVE-2026-55952
https://www.cve.org/CVERecord?id=CVE-2026-55952
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list