CVE-2026-23943: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) in Erlang OTP
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * zlib@openssh.com: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-23943) in Erlang OTP's ssh_transport modules arises from improper handling of highly compressed data, specifically legacy zlib compression used by the SSH transport layer. The SSH implementation advertises zlib compression by default and decompresses attacker-controlled payloads without size limits, enabling denial of service via memory exhaustion. Two compression algorithms are affected: 'zlib', which activates immediately after key exchange allowing unauthenticated attacks, and 'zlib@openssh.com', which activates post-authentication allowing authenticated attacks. Each SSH packet can decompress approximately 255 MB from 256 KB of wire data, resulting in a 1029:1 amplification ratio. Multiple packets can rapidly consume available memory, causing out-of-memory kills in memory-constrained systems. The affected OTP versions range from 17.0 through 28.4.1, 27.3.4.9, and 26.2.5.18, with corresponding ssh versions from 3.0.1 through 5.5.1, 5.2.11.6, and 5.1.4.14.
Potential Impact
An attacker can cause a denial of service by sending specially crafted compressed SSH packets that decompress to a much larger size, exhausting system memory. This can lead to out-of-memory kills and service disruption. The unauthenticated attack vector via the 'zlib' compression algorithm after key exchange increases the risk as no authentication is required to trigger the vulnerability. The authenticated attack vector via 'zlib@openssh.com' allows an attacker with valid credentials to also exploit this issue. The vulnerability affects systems running vulnerable versions of Erlang OTP SSH transport, potentially impacting availability in memory-constrained environments.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling legacy zlib compression in the SSH transport layer if possible to prevent exploitation. Monitor for updates from the Erlang project regarding patches or configuration changes that mitigate this vulnerability. Avoid enabling or using the affected compression algorithms in environments where memory exhaustion could cause critical impact.
CVE-2026-23943: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) in Erlang OTP
Description
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * zlib@openssh.com: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
CVSS v4.0
Score 6.9medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-23943) in Erlang OTP's ssh_transport modules arises from improper handling of highly compressed data, specifically legacy zlib compression used by the SSH transport layer. The SSH implementation advertises zlib compression by default and decompresses attacker-controlled payloads without size limits, enabling denial of service via memory exhaustion. Two compression algorithms are affected: 'zlib', which activates immediately after key exchange allowing unauthenticated attacks, and 'zlib@openssh.com', which activates post-authentication allowing authenticated attacks. Each SSH packet can decompress approximately 255 MB from 256 KB of wire data, resulting in a 1029:1 amplification ratio. Multiple packets can rapidly consume available memory, causing out-of-memory kills in memory-constrained systems. The affected OTP versions range from 17.0 through 28.4.1, 27.3.4.9, and 26.2.5.18, with corresponding ssh versions from 3.0.1 through 5.5.1, 5.2.11.6, and 5.1.4.14.
Potential Impact
An attacker can cause a denial of service by sending specially crafted compressed SSH packets that decompress to a much larger size, exhausting system memory. This can lead to out-of-memory kills and service disruption. The unauthenticated attack vector via the 'zlib' compression algorithm after key exchange increases the risk as no authentication is required to trigger the vulnerability. The authenticated attack vector via 'zlib@openssh.com' allows an attacker with valid credentials to also exploit this issue. The vulnerability affects systems running vulnerable versions of Erlang OTP SSH transport, potentially impacting availability in memory-constrained environments.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling legacy zlib compression in the SSH transport layer if possible to prevent exploitation. Monitor for updates from the Erlang project regarding patches or configuration changes that mitigate this vulnerability. Avoid enabling or using the affected compression algorithms in environments where memory exhaustion could cause critical impact.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-01-19T14:23:14.343Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b3d90e2f860ef943bac72f
Added to database: 3/13/2026, 9:29:50 AM
Last enriched: 6/10/2026, 5:20:49 PM
Last updated: 6/11/2026, 11:10:39 PM
Views: 186
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.