CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26618: SSH SFTP packet size not verified properly in Erlang OTP

7.0 CVSS

Description

Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang. Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets (conforming to max SSH packet size) are received by ssh, they might be combined into an SFTP packet which will exceed the max allowed packet size and potentially cause large amount of memory to be allocated. Note that situation described above can only happen for successfully authenticated users after completing the SSH handshake. This issue has been patched in OTP versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known workarounds for this vulnerability.

Classification

CVE ID: CVE-2025-26618

CVSS Base Severity: HIGH

CVSS Base Score: 7.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Products

Vendor: erlang

Product: otp

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 12.32% (scored less or equal to compared to others)

EPSS Date: 2025-03-21 (when was this score calculated)

References

https://github.com/erlang/otp/security/advisories/GHSA-78cv-45vx-q6fr
https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872

Timeline

2025-02-21 00:25:36 UTC
CVE

SSH SFTP packet size not verified properly in Erlang OTP
2025-03-29 09:45:21 UTC
Tenable Plugins

SUSE SLES15 / openSUSE 15 Security Update : erlang26 (SUSE-SU-2025:1051-1)