This vulnerability (CVE-2026-23943) in Erlang OTP's ssh_transport modules arises from improper handling of highly compressed data, enabling a denial of service via resource depletion. The SSH transport layer advertises legacy zlib compression by default and decompresses attacker-controlled payloads without size limits pre-authentication, allowing unauthenticated memory exhaustion attacks. The affected compression algorithms are zlib (immediate activation after key exchange) and zlib@openssh.com (post-authentication). Each SSH packet can decompress approximately 255 MB from 256 KB of wire data, resulting in a 1029:1 amplification ratio. Multiple packets can rapidly exhaust available memory, causing out-of-memory kills especially in constrained environments. The vulnerability affects OTP versions from 17.0 through 28.4.1 and corresponding SSH versions from 3.0.1 through 5.5.1 and related subversions. The affected code is located in lib/ssh/src/ssh_transport.erl, specifically in ssh_transport:decompress/2 and ssh_transport:handle_packet_part/4.

An attacker can cause a denial of service condition by sending specially crafted compressed SSH packets that decompress to a large size, exhausting system memory and potentially causing the SSH service or host to crash. The attack can be performed unauthenticated due to the zlib compression activating immediately after key exchange. This can disrupt availability of systems running affected Erlang OTP versions, particularly in memory-constrained environments.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of an official fix, consider disabling legacy zlib compression in the SSH transport layer if configurable, or applying resource limits to SSH processes to mitigate memory exhaustion. Monitor vendor channels for updates and apply patches promptly once available.