{"api_version":"1","generated_at":"2026-04-17T00:18:33+00:00","cve":"CVE-2026-23943","urls":{"html":"https://cve.report/CVE-2026-23943","api":"https://cve.report/api/cve/CVE-2026-23943.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23943","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23943"},"summary":{"title":"Pre-auth SSH DoS via unbounded zlib inflate","description":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.","state":"PUBLISHED","assigner":"EEF","published_at":"2026-03-13 19:54:15","updated_at":"2026-04-06 17:17:08"},"problem_types":["CWE-409","CWE-409 CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)"],"metrics":[{"version":"4.0","source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","type":"Secondary","score":"6.9","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"6.9","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":6.9,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1","name":"https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r","name":"https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","name":"https://www.erlang.org/doc/system/versions.html#order-of-versions","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://osv.dev/vulnerability/EEF-CVE-2026-23943","name":"https://osv.dev/vulnerability/EEF-CVE-2026-23943","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4","name":"https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cna.erlef.org/cves/CVE-2026-23943.html","name":"https://cna.erlef.org/cves/CVE-2026-23943.html","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3","name":"https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23943","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23943","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Erlang","product":"OTP","version":"affected 3.0.1 * otp","platforms":[]},{"source":"CNA","vendor":"Erlang","product":"OTP","version":"affected 17.0 * otp","platforms":[]},{"source":"CNA","vendor":"Erlang","product":"OTP","version":"affected 07b8f441ca711f9812fad9e9115bab3c3aa92f79 * git","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, ['none']}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n  {modify_algorithms, [{rm, [{compression, ['zlib']}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n  {max_sessions, N}  % Cap total concurrent sessions (default is infinity)","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Igor Morgenstern / Aisle Research","lang":"en"},{"source":"CNA","value":"Michał Wąsowski","lang":"en"},{"source":"CNA","value":"Jakub Witczak","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23943","cve":"CVE-2026-23943","epss":"0.001210000","percentile":"0.311280000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-23943","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-13T16:01:40.898658Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-13T16:01:48.609Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["ssh_transport"],"packageName":"ssh","packageURL":"pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git","product":"OTP","programFiles":["src/ssh_transport.erl"],"programRoutines":[{"name":"ssh_transport:decompress/2"},{"name":"ssh_transport:handle_packet_part/4"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"5.5.1","status":"unaffected"},{"at":"5.2.11.6","status":"unaffected"},{"at":"5.1.4.14","status":"unaffected"}],"lessThan":"*","status":"affected","version":"3.0.1","versionType":"otp"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["ssh_transport"],"packageName":"erlang/otp","packageURL":"pkg:github/erlang/otp","product":"OTP","programFiles":["lib/ssh/src/ssh_transport.erl"],"programRoutines":[{"name":"ssh_transport:decompress/2"},{"name":"ssh_transport:handle_packet_part/4"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"28.4.1","status":"unaffected"},{"at":"27.3.4.9","status":"unaffected"},{"at":"26.2.5.18","status":"unaffected"}],"lessThan":"*","status":"affected","version":"17.0","versionType":"otp"},{"changes":[{"at":"43a87b949bdff12d629a8c34146711d9da93b1b1","status":"unaffected"},{"at":"93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3","status":"unaffected"},{"at":"0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4","status":"unaffected"}],"lessThan":"*","status":"affected","version":"07b8f441ca711f9812fad9e9115bab3c3aa92f79","versionType":"git"}]}],"credits":[{"lang":"en","type":"reporter","value":"Igor Morgenstern / Aisle Research"},{"lang":"en","type":"remediation developer","value":"Michał Wąsowski"},{"lang":"en","type":"remediation reviewer","value":"Jakub Witczak"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.<p>The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.</p><p>Two compression algorithms are affected:</p><ul><li><b>zlib:</b> Activates immediately after key exchange, enabling unauthenticated attacks</li><li><b>zlib@openssh.com:</b> Activates post-authentication, enabling authenticated attacks</li></ul><p>Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.</p><p>This vulnerability is associated with program files <tt>lib/ssh/src/ssh_transport.erl</tt> and program routines <tt>ssh_transport:decompress/2</tt>, <tt>ssh_transport:handle_packet_part/4</tt>.</p><p>This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.</p>"}],"value":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."}],"impacts":[{"capecId":"CAPEC-130","descriptions":[{"lang":"en","value":"CAPEC-130 Excessive Allocation"}]},{"capecId":"CAPEC-490","descriptions":[{"lang":"en","value":"CAPEC-490 Amplification"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":6.9,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-409","description":"CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-06T16:44:10.203Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-23943.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-23943"},{"tags":["x_version-scheme"],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"}],"source":{"discovery":"EXTERNAL"},"title":"Pre-auth SSH DoS via unbounded zlib inflate","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p><b>Best workaround - Disable all compression:</b></p><pre>{preferred_algorithms, [{compression, ['none']}]}</pre><p><b>Alternative mitigations (less secure):</b></p><ul><li>Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):<pre>{modify_algorithms, [{rm, [{compression, ['zlib']}]}]}</pre></li><li>Limit concurrent sessions (reduces attack surface but does not prevent exploitation):<pre>{max_sessions, N}  % Cap total concurrent sessions (default is infinity)</pre></li></ul>"}],"value":"Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, ['none']}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n  {modify_algorithms, [{rm, [{compression, ['zlib']}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n  {max_sessions, N}  % Cap total concurrent sessions (default is infinity)"}],"x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-23943","datePublished":"2026-03-13T09:11:57.794Z","dateReserved":"2026-01-19T14:23:14.343Z","dateUpdated":"2026-04-06T16:44:10.203Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-13 19:54:15","lastModifiedDate":"2026-04-06 17:17:08","problem_types":["CWE-409","CWE-409 CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)"],"metrics":{"cvssMetricV40":[{"source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23943","Ordinal":"1","Title":"Pre-auth SSH DoS via unbounded zlib inflate","CVE":"CVE-2026-23943","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23943","Ordinal":"1","NoteData":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.","Type":"Description","Title":"Pre-auth SSH DoS via unbounded zlib inflate"}]}}}