CVE-2026-54887: CWE-1394 Use of Default Cryptographic Key in Erlang OTP
CVE-2026-54887 is a medium severity vulnerability in Erlang/OTP's ssl DTLS server implementation. It involves the use of a default cryptographic key during server startup, allowing predictable DTLS cookie computation. This flaw enables an attacker who can observe the plaintext ClientHello message to bypass source address verification within the initial 0 to 15 seconds after server startup. The vulnerability affects OTP versions from 20.0 before 29.0.3, 28.5.0.3, and 27.3.4.14, specifically impacting ssl versions from 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10. The DTLS cookie is intended as a denial-of-service mitigation, not an authentication mechanism, so this bypass could allow handshake amplification with spoofed source addresses during the startup window.
AI Analysis
Technical Summary
This vulnerability arises because the DTLS server in Erlang/OTP initializes the previous_cookie_secret to an empty binary at startup instead of a random value. Since HMAC with an empty key is deterministic, an attacker observing the ClientHello message can compute a valid DTLS cookie before the first secret rotation occurs (within 0 to 15 seconds). This allows bypassing source address verification, which is designed to prevent denial-of-service attacks by verifying the client's IP address. The issue is located in the dtls_server_connection:initial_hello/3 function in the Erlang ssl library. Affected versions include OTP 20.0 up to but not including 29.0.3, 28.5.0.3, and 27.3.4.14, and ssl versions from 8.2 up to but not including 11.7.3, 11.6.0.3, and 11.2.12.10.
Potential Impact
An attacker capable of observing plaintext ClientHello messages during the server startup window can bypass source address verification in the DTLS handshake. This bypass undermines the denial-of-service mitigation mechanism, potentially enabling handshake amplification attacks with spoofed source IP addresses. However, this does not compromise authentication or confidentiality directly. The vulnerability is limited to a short time window (0 to 15 seconds) after server startup before the cookie secret rotates to a random value.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is provided in the available data. Until a patch is available, consider minimizing server restarts or monitoring DTLS handshake behavior during startup. Avoid relying solely on DTLS cookie verification during the initial startup window for critical security decisions.
CVE-2026-54887: CWE-1394 Use of Default Cryptographic Key in Erlang OTP
Description
CVE-2026-54887 is a medium severity vulnerability in Erlang/OTP's ssl DTLS server implementation. It involves the use of a default cryptographic key during server startup, allowing predictable DTLS cookie computation. This flaw enables an attacker who can observe the plaintext ClientHello message to bypass source address verification within the initial 0 to 15 seconds after server startup. The vulnerability affects OTP versions from 20.0 before 29.0.3, 28.5.0.3, and 27.3.4.14, specifically impacting ssl versions from 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10. The DTLS cookie is intended as a denial-of-service mitigation, not an authentication mechanism, so this bypass could allow handshake amplification with spoofed source addresses during the startup window.
CVSS v4.0
Score 6.3medium
Affected software
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises because the DTLS server in Erlang/OTP initializes the previous_cookie_secret to an empty binary at startup instead of a random value. Since HMAC with an empty key is deterministic, an attacker observing the ClientHello message can compute a valid DTLS cookie before the first secret rotation occurs (within 0 to 15 seconds). This allows bypassing source address verification, which is designed to prevent denial-of-service attacks by verifying the client's IP address. The issue is located in the dtls_server_connection:initial_hello/3 function in the Erlang ssl library. Affected versions include OTP 20.0 up to but not including 29.0.3, 28.5.0.3, and 27.3.4.14, and ssl versions from 8.2 up to but not including 11.7.3, 11.6.0.3, and 11.2.12.10.
Potential Impact
An attacker capable of observing plaintext ClientHello messages during the server startup window can bypass source address verification in the DTLS handshake. This bypass undermines the denial-of-service mitigation mechanism, potentially enabling handshake amplification attacks with spoofed source IP addresses. However, this does not compromise authentication or confidentiality directly. The vulnerability is limited to a short time window (0 to 15 seconds) after server startup before the cookie secret rotates to a random value.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is provided in the available data. Until a patch is available, consider minimizing server restarts or monitoring DTLS handshake behavior during startup. Avoid relying solely on DTLS cookie verification during the initial startup window for critical security decisions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-16T10:47:13.915Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a46a8b827e9c79719cc4ab5
Added to database: 07/02/2026, 18:06:48 UTC
Last enriched: 07/02/2026, 18:21:49 UTC
Last updated: 07/02/2026, 19:02:35 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.