DTLS server cookie bypass during startup window due to empty initial cookie secret

Summary

CVECVE-2026-54887
StatePUBLISHED
AssignerEEF
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-02 17:17:02 UTC
Updated2026-07-02 18:16:49 UTC
DescriptionUse of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses. This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3. This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.

Risk And Classification

Primary CVSS: v4.0 6.3 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-1394 | CWE-1394 CWE-1394 Use of Default Cryptographic Key


VersionSourceTypeScoreSeverityVector
4.06b3ad84c-e1a6-4bf7-a703-f496b71e49dbSecondary6.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/C...
4.0CNACVSS6.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
None
Availability
Low
Sub Conf.
None
Sub Integrity
None
Sub Availability
None

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Erlang OTP affected 8.2 * otp Not specified
CNA Erlang OTP affected 20.0 * otp Not specified
CNA Erlang OTP affected e594aad2f87aab39e99fccf9e021bc94e0bbf7d4 888e3bcd72d5406016b9e0de741026bc2a6f114d git Not specified

References

ReferenceSourceLinkTags
osv.dev/vulnerability/EEF-CVE-2026-54887 6b3ad84c-e1a6-4bf7-a703-f496b71e49db osv.dev
github.com/erlang/otp/commit/888e3bcd72d5406016b9e0de741026bc2a6f114d 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
cna.erlef.org/cves/CVE-2026-54887.html 6b3ad84c-e1a6-4bf7-a703-f496b71e49db cna.erlef.org
www.erlang.org/doc/system/versions.html 6b3ad84c-e1a6-4bf7-a703-f496b71e49db www.erlang.org
github.com/erlang/otp/security/advisories/GHSA-p2m2-3c2w-8jp8 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Lukas Backström (en)

CNA: Ingela Anderton Andin (en)

CNA: Dan Gudmundsson (en)

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report