CVE-2026-23943

Pre-auth SSH DoS via unbounded zlib inflate

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-409 — CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

CAPEC

• CAPEC-130 — CAPEC-130 Excessive Allocation
• CAPEC-490 — CAPEC-490 Amplification

CVSS 4.0 Score

6.9

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability description

Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.

The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.

Two compression algorithms are affected:

• zlib: Activates immediately after key exchange, enabling unauthenticated attacks
• zlib@openssh.com: Activates post-authentication, enabling authenticated attacks

Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.

This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.

Affected

pkg:otp/ssh

Module	Source File	Routine
ssh_transport	src/ssh_transport.erl	ssh_transport:decompress/2
		ssh_transport:handle_packet_part/4

Status	Type	Version	Changes / Fixed in
affected	otp ⓘ	3.0.1	unaffected at 5.5.1 unaffected at 5.2.11.6 unaffected at 5.1.4.14

pkg:github/erlang/otp

Module	Source File	Routine
ssh_transport	lib/ssh/src/ssh_transport.erl	ssh_transport:decompress/2
		ssh_transport:handle_packet_part/4

Status	Type	Version	Changes / Fixed in
affected	otp ⓘ	17.0	unaffected at 28.4.1 unaffected at 27.3.4.9 unaffected at 26.2.5.18
affected	git ⓘ	07b8f441ca71	unaffected at 43a87b949bdf unaffected at 93073c3bd338 unaffected at 0c1c04b191f6

Workarounds

Best workaround - Disable all compression:

{preferred_algorithms, [{compression, ['none']}]}

Alternative mitigations (less secure):

• Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):

  {modify_algorithms, [{rm, [{compression, ['zlib']}]}]}

• Limit concurrent sessions (reduces attack surface but does not prevent exploitation):

  {max_sessions, N}  % Cap total concurrent sessions (default is infinity)

References

• https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r vendor-advisory
• https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1 patch
• https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3 patch
• https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4 patch

Credits

• Reporter: Igor Morgenstern / Aisle Research
• Remediation developer: Michał Wąsowski
• Remediation reviewer: Jakub Witczak

CVE record as JSON:  GET /cves/CVE-2026-23943.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-23943.json