CVE-2025-30211: CWE-789: Memory Allocation with Excessive Size Value in erlang otp
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
CVE-2025-30211: CWE-789: Memory Allocation with Excessive Size Value in erlang otp
Description
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-03-18T18:15:13.850Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69091543c28fd46ded7bb30e
Added to database: 11/3/2025, 8:49:07 PM
Last updated: 11/3/2025, 8:49:58 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9 in Mozilla Firefox
HighCVE-2025-3029: URL Bar Spoofing via non-BMP Unicode characters in Mozilla Firefox
HighCVE-2025-3028: Use-after-free triggered by XSLTProcessor in Mozilla Firefox
MediumCVE-2025-31183: An app may be able to access sensitive user data in Apple tvOS
CriticalCVE-2025-31182: An app may be able to delete files for which it does not have permission in Apple tvOS
CriticalActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.