Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    14 vulnerabilities found for erlang\/ssh by erlang

    CVE-2026-54886 (GCVE-0-2026-54886)

    Vulnerability from nvd – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
    VLAI
    Title
    SSH SFTP server denial of service via extended channel data infinite loop
    Summary
    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit. The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact. Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications. No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth. This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 84adefa3318eef8631bf25cd233246a86eea18cd , < eaf9550b8ad4738b81149d3f617102d980c6dd18 (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Lukas Backström Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54886",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T17:27:25.414155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T17:27:30.648Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_data/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.5.2.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_data/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "eaf9550b8ad4738b81149d3f617102d980c6dd18",
                  "status": "affected",
                  "version": "84adefa3318eef8631bf25cd233246a86eea18cd",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.3",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.3",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lukas Backstr\u00f6m"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\u003cp\u003eThe \u003ctt\u003ehandle_data/4\u003c/tt\u003e function in \u003ctt\u003essh_sftpd\u003c/tt\u003e contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (\u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\u003c/p\u003e\u003cp\u003eThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending \u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e with any \u003ctt\u003edata_type_code\u003c/tt\u003e and any non-empty payload at or below the size limit.\u003c/p\u003e\u003cp\u003eThe targeted \u003ctt\u003essh_sftpd\u003c/tt\u003e process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\u003c/p\u003e\u003cp\u003eErlang/OTP SSH configurations using the default \u003ctt\u003emax_channels\u003c/tt\u003e setting (\u003ctt\u003einfinity\u003c/tt\u003e) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\u003c/p\u003e\u003cp\u003eNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_data/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
                }
              ],
              "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\n\nThe handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\n\nThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.\n\nThe targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\n\nErlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\n\nNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\n\nThis vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T04:29:26.056Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-7wp4-pc27-2vj9"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-54886.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54886"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SSH SFTP server denial of service via extended channel data infinite loop",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eSet the \u003ctt\u003emax_channels\u003c/tt\u003e daemon option to a finite value (e.g., \u003ctt\u003e{max_channels, 10}\u003c/tt\u003e) to limit the number of channels an attacker can open per connection.\u003c/li\u003e\u003cli\u003eSet the \u003ctt\u003emax_sessions\u003c/tt\u003e daemon option to limit total concurrent SSH connections to the daemon.\u003c/li\u003e\u003cli\u003eUse external process monitoring to detect and kill \u003ctt\u003essh_sftpd\u003c/tt\u003e processes with abnormally high reduction counts and growing message queues.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Set the max_channels daemon option to a finite value (e.g., {max_channels, 10}) to limit the number of channels an attacker can open per connection.\n* Set the max_sessions daemon option to limit total concurrent SSH connections to the daemon.\n* Use external process monitoring to detect and kill ssh_sftpd processes with abnormally high reduction counts and growing message queues.\n* Ensure that the SFTP server port is not reachable from untrusted machines."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-54886",
        "datePublished": "2026-07-02T16:06:20.502Z",
        "dateReserved": "2026-06-16T10:47:13.914Z",
        "dateUpdated": "2026-07-03T04:29:26.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53422 (GCVE-0-2026-53422)

    Vulnerability from nvd – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:28
    VLAI
    Title
    SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
    Summary
    Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mohamed Ali IBNAL HAJALI / Ericsson Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53422",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T17:29:13.490797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T17:29:32.878Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.5.2.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "059e5785ef8c1d423820ca633fb7b37f47645172",
                      "status": "unaffected"
                    },
                    {
                      "at": "86622cfaacf57a02c7645d1999f946846b504c94",
                      "status": "unaffected"
                    },
                    {
                      "at": "c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "84adefa331c4159d432d22840663c38f155cd4c1",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and the operator must rely on it to provide filesystem path isolation. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default.\u003c/p\u003e"
                }
              ],
              "value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1, and the operator must rely on it to provide filesystem path isolation. The root option is not set by default."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.3",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.3",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohamed Ali IBNAL HAJALI / Ericsson"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eObservable Response Discrepancy vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eSSH_FXP_REALPATH\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e calls \u003ctt\u003erelate_file_name/3\u003c/tt\u003e with \u003ctt\u003eCanonicalize=false\u003c/tt\u003e, unlike every other SFTP operation handler. This allows \u003ctt\u003e..\u003c/tt\u003e components in the requested path to bypass the \u003ctt\u003eis_within_root/2\u003c/tt\u003e check without being resolved. The un-canonicalized path then enters \u003ctt\u003eresolve_symlinks/2\u003c/tt\u003e, which walks up the directory tree above the configured root and issues \u003ctt\u003eread_link()\u003c/tt\u003e syscalls on arbitrary filesystem paths.\u003c/p\u003e\u003cp\u003eAn authenticated SFTP client can exploit this by sending a \u003ctt\u003eREALPATH\u003c/tt\u003e request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (\u003ctt\u003eSSH_FXP_NAME\u003c/tt\u003e when the path resolves successfully, \u003ctt\u003eSSH_FX_NO_SUCH_FILE\u003c/tt\u003e when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\u003c/p\u003e\u003cp\u003eThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
                }
              ],
              "value": "Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\n\nThe SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.\n\nAn authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\n\nThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204 Observable Response Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T04:28:59.578Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-53422.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53422"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-53422",
        "datePublished": "2026-07-02T16:06:03.802Z",
        "dateReserved": "2026-06-09T11:01:47.529Z",
        "dateUpdated": "2026-07-03T04:28:59.578Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48859 (GCVE-0-2026-48859)

    Vulnerability from nvd – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
    VLAI
    Title
    SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
    Summary
    Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 6.0 , < 6.0.1 (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 29.0 , < 29.0.2 (otp)
    Affected: 032d1bc9491a3975c68faf9bc7776115d6ae3005 , < c342092ef4b369bb409d5b71ac8fd83bab74aedf (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zhang Delong Jakub Witczak Ingela Anderton Andin Michał Wąsowski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48859",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:19:16.914933Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:19:43.145Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_auth",
                "ssh_options"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_auth.erl",
                "src/ssh_options.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_auth:check_password/3"
                },
                {
                  "name": "ssh_options:get_password_option/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "lessThan": "6.0.1",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_auth",
                "ssh_options"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_auth.erl",
                "lib/ssh/src/ssh_options.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_auth:check_password/3"
                },
                {
                  "name": "ssh_options:get_password_option/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "lessThan": "29.0.2",
                  "status": "affected",
                  "version": "29.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "c342092ef4b369bb409d5b71ac8fd83bab74aedf",
                  "status": "affected",
                  "version": "032d1bc9491a3975c68faf9bc7776115d6ae3005",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SSH daemon must be configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option for password authentication. Systems using the \u003ctt\u003epwdfun\u003c/tt\u003e option instead are not affected."
                }
              ],
              "value": "The SSH daemon must be configured with the user_passwords or password option for password authentication. Systems using the pwdfun option instead are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Zhang Delong"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jakub Witczak"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ingela Anderton Andin"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Micha\u0142 W\u0105sowski"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\u003c/p\u003e\u003cp\u003eWhen the SSH daemon is configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option, \u003ctt\u003essh_auth:check_password/3\u003c/tt\u003e performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the \u003ctt\u003essh_options:get_password_option/2\u003c/tt\u003e path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003euser_passwords\u003c/tt\u003e and \u003ctt\u003epassword\u003c/tt\u003e options are documented as intended for test purposes; the recommended alternative is \u003ctt\u003epwdfun\u003c/tt\u003e, which is not affected by this vulnerability.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_auth.erl\u003c/tt\u003e and \u003ctt\u003elib/ssh/src/ssh_options.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\n\nWhen the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\n\nThe user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.\n\nThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-116",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-116 Excavation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208 Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:32.938Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48859.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48859"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use the \u003ctt\u003epwdfun\u003c/tt\u003e option instead of \u003ctt\u003euser_passwords\u003c/tt\u003e for password authentication. The \u003ctt\u003epwdfun\u003c/tt\u003e callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
                }
              ],
              "value": "Use the pwdfun option instead of user_passwords for password authentication. The pwdfun callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
                }
              ],
              "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48859",
        "datePublished": "2026-06-10T14:35:43.553Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:32.938Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48855 (GCVE-0-2026-48855)

    Vulnerability from nvd – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
    VLAI
    Title
    SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 08225797f7ef943d0c82a1d9dd6650d94ca2580d , < 8f4224a0d2676b0653d2c71a889a956e8c2c62d6 (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jonatan Männchen / EEF Jonatan Männchen / EEF Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48855",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:22:16.684743Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:22:24.746Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.0.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.5.2.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "8f4224a0d2676b0653d2c71a889a956e8c2c62d6",
                  "status": "affected",
                  "version": "08225797f7ef943d0c82a1d9dd6650d94ca2580d",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SFTP subsystem must be enabled on the SSH server and the \u003ctt\u003eroot\u003c/tt\u003e option must be configured in the \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e call. Deployments without the \u003ctt\u003eroot\u003c/tt\u003e option are not affected."
                }
              ],
              "value": "The SFTP subsystem must be enabled on the SSH server and the root option must be configured in the ssh_sftpd:subsystem_spec/1 call. Deployments without the root option are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.13",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows File Discovery.\u003cp\u003eThe \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e sends the raw result of \u003ctt\u003efile:read_link/2\u003c/tt\u003e to the client without calling \u003ctt\u003echroot_filename/2\u003c/tt\u003e to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to \u003ctt\u003e/\u003c/tt\u003e; \u003ctt\u003essh_sftpd\u003c/tt\u003e resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e returns that absolute path, for example \u003ctt\u003e/data/sftp\u003c/tt\u003e, instead of the chrooted value \u003ctt\u003e/\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.\n\nThe SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.\n\nThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-116",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-116 Excavation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:29.864Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48855.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48855"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48855",
        "datePublished": "2026-06-10T14:35:49.683Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:29.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32147 (GCVE-0-2026-32147)

    Vulnerability from nvd – Published: 2026-04-21 12:01 – Updated: 2026-06-10 14:35
    VLAI
    Title
    SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely. Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector. If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.01 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    John Downey Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T13:11:06.946869Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T13:11:40.325Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:do_open/4"
                },
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5.5.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.7",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.1.4.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.01",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:do_open/4"
                },
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "28c5d5a6c5f873dc701b597276271763e7d1c004",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default."
                }
              ],
              "value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1. The root option is not set by default."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.11",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.3",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "John Downey"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\u003cp\u003eThe SFTP daemon (\u003ctt\u003essh_sftpd\u003c/tt\u003e) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When \u003ctt\u003eSSH_FXP_FSETSTAT\u003c/tt\u003e is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\u003c/p\u003e\u003cp\u003eAny authenticated SFTP user on a server configured with the \u003ctt\u003eroot\u003c/tt\u003e option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\u003c/p\u003e\u003cp\u003eIf the SSH daemon runs as \u003ctt\u003eroot\u003c/tt\u003e, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:do_open/4\u003c/tt\u003e and \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T14:35:34.287Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-32147.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32147"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eDo not use the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and instead rely on OS-level chroot or container isolation to confine SFTP users.\u003c/li\u003e\u003cli\u003eEnsure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user\u0027s OS-level permissions.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Do not use the root option in ssh_sftpd:subsystem_spec/1, and instead rely on OS-level chroot or container isolation to confine SFTP users.\n* Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user\u0027s OS-level permissions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-32147",
        "datePublished": "2026-04-21T12:01:20.350Z",
        "dateReserved": "2026-03-10T22:37:29.213Z",
        "dateUpdated": "2026-06-10T14:35:34.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23943 (GCVE-0-2026-23943)

    Vulnerability from nvd – Published: 2026-03-13 09:11 – Updated: 2026-06-10 14:35
    VLAI
    Title
    Pre-auth SSH DoS via unbounded zlib inflate
    Summary
    Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * zlib@openssh.com: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Igor Morgenstern / Aisle Research Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23943",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:01:40.898658Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:01:48.609Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_transport"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_transport.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_transport:decompress/2"
                },
                {
                  "name": "ssh_transport:handle_packet_part/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5.5.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.1.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_transport"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_transport.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_transport:decompress/2"
                },
                {
                  "name": "ssh_transport:handle_packet_part/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.9",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "43a87b949bdff12d629a8c34146711d9da93b1b1",
                      "status": "unaffected"
                    },
                    {
                      "at": "93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3",
                      "status": "unaffected"
                    },
                    {
                      "at": "0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SSH server or client must advertise \u003ctt\u003ezlib\u003c/tt\u003e or \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e compression. Both are enabled by default. With \u003ctt\u003ezlib\u003c/tt\u003e, the attack is pre-authentication; with \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e, authentication is required first."
                }
              ],
              "value": "The SSH server or client must advertise zlib or zlib@openssh.com compression. Both are enabled by default. With zlib, the attack is pre-authentication; with zlib@openssh.com, authentication is required first."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.18",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.9",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.1",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Igor Morgenstern / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\u003cp\u003eThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\u003c/p\u003e\u003cp\u003eTwo compression algorithms are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cb\u003ezlib:\u003c/b\u003e Activates immediately after key exchange, enabling unauthenticated attacks\u003c/li\u003e\u003cli\u003e\u003cb\u003ezlib@openssh.com:\u003c/b\u003e Activates post-authentication, enabling authenticated attacks\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_transport.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_transport:decompress/2\u003c/tt\u003e, \u003ctt\u003essh_transport:handle_packet_part/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
                }
              ],
              "value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            },
            {
              "capecId": "CAPEC-490",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-490 Amplification"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T14:35:39.425Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-23943.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-23943"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Pre-auth SSH DoS via unbounded zlib inflate",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cb\u003eBest workaround - Disable all compression:\u003c/b\u003e\u003c/p\u003e\u003cpre\u003e{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\u003c/pre\u003e\u003cp\u003e\u003cb\u003eAlternative mitigations (less secure):\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\u003cpre\u003e{modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\u003c/pre\u003e\u003c/li\u003e\u003cli\u003eLimit concurrent sessions (reduces attack surface but does not prevent exploitation):\u003cpre\u003e{max_sessions, N}  % Cap total concurrent sessions (default is infinity)\u003c/pre\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n  {modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n  {max_sessions, N}  % Cap total concurrent sessions (default is infinity)"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-23943",
        "datePublished": "2026-03-13T09:11:57.794Z",
        "dateReserved": "2026-01-19T14:23:14.343Z",
        "dateUpdated": "2026-06-10T14:35:39.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23942 (GCVE-0-2026-23942)

    Vulnerability from nvd – Published: 2026-03-13 09:11 – Updated: 2026-05-27 15:41
    VLAI
    Title
    SFTP root escape via component-agnostic prefix check in ssh_sftpd
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 0 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Luigino Camastra / Aisle Research Jakub Witczak Michał Wąsowski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:02:31.222384Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:02:38.388Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:is_within_root/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5.5.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.1.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:is_within_root/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.9",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "27688a824f753d4c16371dc70e88753fb410590b",
                      "status": "unaffected"
                    },
                    {
                      "at": "9e0ac85d3485e7898e0da88a14be0ee2310a3b28",
                      "status": "unaffected"
                    },
                    {
                      "at": "5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when \u003ctt\u003essh_sftpd\u003c/tt\u003e is included in the \u003ctt\u003esubsystems\u003c/tt\u003e option with a \u003ctt\u003eroot\u003c/tt\u003e parameter and there exist sibling directories sharing the same name prefix as the root."
                }
              ],
              "value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when ssh_sftpd is included in the subsystems option with a root parameter and there exist sibling directories sharing the same name prefix as the root."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.18",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.9",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.1",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Luigino Camastra / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jakub Witczak"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Micha\u0142 W\u0105sowski"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:is_within_root/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe SFTP server uses string prefix matching via \u003ctt\u003elists:prefix/2\u003c/tt\u003e rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to \u003ctt\u003e/home/user1\u003c/tt\u003e, paths like \u003ctt\u003e/home/user10\u003c/tt\u003e or \u003ctt\u003e/home/user1_backup\u003c/tt\u003e would incorrectly be considered within the root.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\n\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:40.808Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-23942.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-23942"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SFTP root escape via component-agnostic prefix check in ssh_sftpd",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eUse directory naming conventions that avoid common prefixes (e.g., \u003ctt\u003e/home/users/alice/\u003c/tt\u003e instead of \u003ctt\u003e/home/user1/\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\n* Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/)."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-23942",
        "datePublished": "2026-03-13T09:11:56.424Z",
        "dateReserved": "2026-01-19T14:23:14.343Z",
        "dateUpdated": "2026-05-27T15:41:40.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54886 (GCVE-0-2026-54886)

    Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
    VLAI
    Title
    SSH SFTP server denial of service via extended channel data infinite loop
    Summary
    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit. The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact. Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications. No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth. This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 84adefa3318eef8631bf25cd233246a86eea18cd , < eaf9550b8ad4738b81149d3f617102d980c6dd18 (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Lukas Backström Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54886",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T17:27:25.414155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T17:27:30.648Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_data/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.5.2.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_data/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "eaf9550b8ad4738b81149d3f617102d980c6dd18",
                  "status": "affected",
                  "version": "84adefa3318eef8631bf25cd233246a86eea18cd",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.3",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.3",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lukas Backstr\u00f6m"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\u003cp\u003eThe \u003ctt\u003ehandle_data/4\u003c/tt\u003e function in \u003ctt\u003essh_sftpd\u003c/tt\u003e contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (\u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\u003c/p\u003e\u003cp\u003eThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending \u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e with any \u003ctt\u003edata_type_code\u003c/tt\u003e and any non-empty payload at or below the size limit.\u003c/p\u003e\u003cp\u003eThe targeted \u003ctt\u003essh_sftpd\u003c/tt\u003e process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\u003c/p\u003e\u003cp\u003eErlang/OTP SSH configurations using the default \u003ctt\u003emax_channels\u003c/tt\u003e setting (\u003ctt\u003einfinity\u003c/tt\u003e) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\u003c/p\u003e\u003cp\u003eNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_data/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
                }
              ],
              "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\n\nThe handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\n\nThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.\n\nThe targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\n\nErlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\n\nNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\n\nThis vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T04:29:26.056Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-7wp4-pc27-2vj9"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-54886.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54886"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SSH SFTP server denial of service via extended channel data infinite loop",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eSet the \u003ctt\u003emax_channels\u003c/tt\u003e daemon option to a finite value (e.g., \u003ctt\u003e{max_channels, 10}\u003c/tt\u003e) to limit the number of channels an attacker can open per connection.\u003c/li\u003e\u003cli\u003eSet the \u003ctt\u003emax_sessions\u003c/tt\u003e daemon option to limit total concurrent SSH connections to the daemon.\u003c/li\u003e\u003cli\u003eUse external process monitoring to detect and kill \u003ctt\u003essh_sftpd\u003c/tt\u003e processes with abnormally high reduction counts and growing message queues.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Set the max_channels daemon option to a finite value (e.g., {max_channels, 10}) to limit the number of channels an attacker can open per connection.\n* Set the max_sessions daemon option to limit total concurrent SSH connections to the daemon.\n* Use external process monitoring to detect and kill ssh_sftpd processes with abnormally high reduction counts and growing message queues.\n* Ensure that the SFTP server port is not reachable from untrusted machines."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-54886",
        "datePublished": "2026-07-02T16:06:20.502Z",
        "dateReserved": "2026-06-16T10:47:13.914Z",
        "dateUpdated": "2026-07-03T04:29:26.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53422 (GCVE-0-2026-53422)

    Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:28
    VLAI
    Title
    SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
    Summary
    Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mohamed Ali IBNAL HAJALI / Ericsson Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53422",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T17:29:13.490797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T17:29:32.878Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.5.2.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "059e5785ef8c1d423820ca633fb7b37f47645172",
                      "status": "unaffected"
                    },
                    {
                      "at": "86622cfaacf57a02c7645d1999f946846b504c94",
                      "status": "unaffected"
                    },
                    {
                      "at": "c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "84adefa331c4159d432d22840663c38f155cd4c1",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and the operator must rely on it to provide filesystem path isolation. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default.\u003c/p\u003e"
                }
              ],
              "value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1, and the operator must rely on it to provide filesystem path isolation. The root option is not set by default."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.14",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.3",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.3",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohamed Ali IBNAL HAJALI / Ericsson"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eObservable Response Discrepancy vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eSSH_FXP_REALPATH\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e calls \u003ctt\u003erelate_file_name/3\u003c/tt\u003e with \u003ctt\u003eCanonicalize=false\u003c/tt\u003e, unlike every other SFTP operation handler. This allows \u003ctt\u003e..\u003c/tt\u003e components in the requested path to bypass the \u003ctt\u003eis_within_root/2\u003c/tt\u003e check without being resolved. The un-canonicalized path then enters \u003ctt\u003eresolve_symlinks/2\u003c/tt\u003e, which walks up the directory tree above the configured root and issues \u003ctt\u003eread_link()\u003c/tt\u003e syscalls on arbitrary filesystem paths.\u003c/p\u003e\u003cp\u003eAn authenticated SFTP client can exploit this by sending a \u003ctt\u003eREALPATH\u003c/tt\u003e request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (\u003ctt\u003eSSH_FXP_NAME\u003c/tt\u003e when the path resolves successfully, \u003ctt\u003eSSH_FX_NO_SUCH_FILE\u003c/tt\u003e when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\u003c/p\u003e\u003cp\u003eThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
                }
              ],
              "value": "Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\n\nThe SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.\n\nAn authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\n\nThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204 Observable Response Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-03T04:28:59.578Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-53422.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53422"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-53422",
        "datePublished": "2026-07-02T16:06:03.802Z",
        "dateReserved": "2026-06-09T11:01:47.529Z",
        "dateUpdated": "2026-07-03T04:28:59.578Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48855 (GCVE-0-2026-48855)

    Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
    VLAI
    Title
    SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 08225797f7ef943d0c82a1d9dd6650d94ca2580d , < 8f4224a0d2676b0653d2c71a889a956e8c2c62d6 (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jonatan Männchen / EEF Jonatan Männchen / EEF Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48855",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:22:16.684743Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:22:24.746Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.0.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.5.2.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "8f4224a0d2676b0653d2c71a889a956e8c2c62d6",
                  "status": "affected",
                  "version": "08225797f7ef943d0c82a1d9dd6650d94ca2580d",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SFTP subsystem must be enabled on the SSH server and the \u003ctt\u003eroot\u003c/tt\u003e option must be configured in the \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e call. Deployments without the \u003ctt\u003eroot\u003c/tt\u003e option are not affected."
                }
              ],
              "value": "The SFTP subsystem must be enabled on the SSH server and the root option must be configured in the ssh_sftpd:subsystem_spec/1 call. Deployments without the root option are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.13",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows File Discovery.\u003cp\u003eThe \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e sends the raw result of \u003ctt\u003efile:read_link/2\u003c/tt\u003e to the client without calling \u003ctt\u003echroot_filename/2\u003c/tt\u003e to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to \u003ctt\u003e/\u003c/tt\u003e; \u003ctt\u003essh_sftpd\u003c/tt\u003e resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e returns that absolute path, for example \u003ctt\u003e/data/sftp\u003c/tt\u003e, instead of the chrooted value \u003ctt\u003e/\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.\n\nThe SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.\n\nThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-116",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-116 Excavation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:29.864Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48855.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48855"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48855",
        "datePublished": "2026-06-10T14:35:49.683Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:29.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48859 (GCVE-0-2026-48859)

    Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
    VLAI
    Title
    SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
    Summary
    Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 6.0 , < 6.0.1 (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 29.0 , < 29.0.2 (otp)
    Affected: 032d1bc9491a3975c68faf9bc7776115d6ae3005 , < c342092ef4b369bb409d5b71ac8fd83bab74aedf (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zhang Delong Jakub Witczak Ingela Anderton Andin Michał Wąsowski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48859",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:19:16.914933Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:19:43.145Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_auth",
                "ssh_options"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_auth.erl",
                "src/ssh_options.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_auth:check_password/3"
                },
                {
                  "name": "ssh_options:get_password_option/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "lessThan": "6.0.1",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_auth",
                "ssh_options"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_auth.erl",
                "lib/ssh/src/ssh_options.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_auth:check_password/3"
                },
                {
                  "name": "ssh_options:get_password_option/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "lessThan": "29.0.2",
                  "status": "affected",
                  "version": "29.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "c342092ef4b369bb409d5b71ac8fd83bab74aedf",
                  "status": "affected",
                  "version": "032d1bc9491a3975c68faf9bc7776115d6ae3005",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SSH daemon must be configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option for password authentication. Systems using the \u003ctt\u003epwdfun\u003c/tt\u003e option instead are not affected."
                }
              ],
              "value": "The SSH daemon must be configured with the user_passwords or password option for password authentication. Systems using the pwdfun option instead are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Zhang Delong"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jakub Witczak"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ingela Anderton Andin"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Micha\u0142 W\u0105sowski"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\u003c/p\u003e\u003cp\u003eWhen the SSH daemon is configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option, \u003ctt\u003essh_auth:check_password/3\u003c/tt\u003e performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the \u003ctt\u003essh_options:get_password_option/2\u003c/tt\u003e path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003euser_passwords\u003c/tt\u003e and \u003ctt\u003epassword\u003c/tt\u003e options are documented as intended for test purposes; the recommended alternative is \u003ctt\u003epwdfun\u003c/tt\u003e, which is not affected by this vulnerability.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_auth.erl\u003c/tt\u003e and \u003ctt\u003elib/ssh/src/ssh_options.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\n\nWhen the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\n\nThe user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.\n\nThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-116",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-116 Excavation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-208",
                  "description": "CWE-208 Observable Timing Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:32.938Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48859.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48859"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use the \u003ctt\u003epwdfun\u003c/tt\u003e option instead of \u003ctt\u003euser_passwords\u003c/tt\u003e for password authentication. The \u003ctt\u003epwdfun\u003c/tt\u003e callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
                }
              ],
              "value": "Use the pwdfun option instead of user_passwords for password authentication. The pwdfun callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
                }
              ],
              "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48859",
        "datePublished": "2026-06-10T14:35:43.553Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:32.938Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32147 (GCVE-0-2026-32147)

    Vulnerability from cvelistv5 – Published: 2026-04-21 12:01 – Updated: 2026-06-10 14:35
    VLAI
    Title
    SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely. Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector. If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.01 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    John Downey Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T13:11:06.946869Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T13:11:40.325Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:do_open/4"
                },
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5.5.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.7",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.1.4.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.01",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:do_open/4"
                },
                {
                  "name": "ssh_sftpd:handle_op/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "28c5d5a6c5f873dc701b597276271763e7d1c004",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default."
                }
              ],
              "value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1. The root option is not set by default."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.20",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.11",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.3",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "John Downey"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\u003cp\u003eThe SFTP daemon (\u003ctt\u003essh_sftpd\u003c/tt\u003e) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When \u003ctt\u003eSSH_FXP_FSETSTAT\u003c/tt\u003e is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\u003c/p\u003e\u003cp\u003eAny authenticated SFTP user on a server configured with the \u003ctt\u003eroot\u003c/tt\u003e option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\u003c/p\u003e\u003cp\u003eIf the SSH daemon runs as \u003ctt\u003eroot\u003c/tt\u003e, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:do_open/4\u003c/tt\u003e and \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T14:35:34.287Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-32147.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32147"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eDo not use the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and instead rely on OS-level chroot or container isolation to confine SFTP users.\u003c/li\u003e\u003cli\u003eEnsure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user\u0027s OS-level permissions.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Do not use the root option in ssh_sftpd:subsystem_spec/1, and instead rely on OS-level chroot or container isolation to confine SFTP users.\n* Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user\u0027s OS-level permissions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-32147",
        "datePublished": "2026-04-21T12:01:20.350Z",
        "dateReserved": "2026-03-10T22:37:29.213Z",
        "dateUpdated": "2026-06-10T14:35:34.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23943 (GCVE-0-2026-23943)

    Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-06-10 14:35
    VLAI
    Title
    Pre-auth SSH DoS via unbounded zlib inflate
    Summary
    Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * zlib@openssh.com: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Igor Morgenstern / Aisle Research Michał Wąsowski Jakub Witczak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23943",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:01:40.898658Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:01:48.609Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_transport"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_transport.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_transport:decompress/2"
                },
                {
                  "name": "ssh_transport:handle_packet_part/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5.5.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.1.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_transport"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_transport.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_transport:decompress/2"
                },
                {
                  "name": "ssh_transport:handle_packet_part/4"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.9",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "43a87b949bdff12d629a8c34146711d9da93b1b1",
                      "status": "unaffected"
                    },
                    {
                      "at": "93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3",
                      "status": "unaffected"
                    },
                    {
                      "at": "0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SSH server or client must advertise \u003ctt\u003ezlib\u003c/tt\u003e or \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e compression. Both are enabled by default. With \u003ctt\u003ezlib\u003c/tt\u003e, the attack is pre-authentication; with \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e, authentication is required first."
                }
              ],
              "value": "The SSH server or client must advertise zlib or zlib@openssh.com compression. Both are enabled by default. With zlib, the attack is pre-authentication; with zlib@openssh.com, authentication is required first."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.18",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.9",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.1",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Igor Morgenstern / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Micha\u0142 W\u0105sowski"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jakub Witczak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\u003cp\u003eThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\u003c/p\u003e\u003cp\u003eTwo compression algorithms are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cb\u003ezlib:\u003c/b\u003e Activates immediately after key exchange, enabling unauthenticated attacks\u003c/li\u003e\u003cli\u003e\u003cb\u003ezlib@openssh.com:\u003c/b\u003e Activates post-authentication, enabling authenticated attacks\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_transport.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_transport:decompress/2\u003c/tt\u003e, \u003ctt\u003essh_transport:handle_packet_part/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
                }
              ],
              "value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            },
            {
              "capecId": "CAPEC-490",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-490 Amplification"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T14:35:39.425Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-23943.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-23943"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Pre-auth SSH DoS via unbounded zlib inflate",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cb\u003eBest workaround - Disable all compression:\u003c/b\u003e\u003c/p\u003e\u003cpre\u003e{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\u003c/pre\u003e\u003cp\u003e\u003cb\u003eAlternative mitigations (less secure):\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\u003cpre\u003e{modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\u003c/pre\u003e\u003c/li\u003e\u003cli\u003eLimit concurrent sessions (reduces attack surface but does not prevent exploitation):\u003cpre\u003e{max_sessions, N}  % Cap total concurrent sessions (default is infinity)\u003c/pre\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n  {modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n  {max_sessions, N}  % Cap total concurrent sessions (default is infinity)"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-23943",
        "datePublished": "2026-03-13T09:11:57.794Z",
        "dateReserved": "2026-01-19T14:23:14.343Z",
        "dateUpdated": "2026-06-10T14:35:39.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23942 (GCVE-0-2026-23942)

    Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-05-27 15:41
    VLAI
    Title
    SFTP root escape via component-agnostic prefix check in ssh_sftpd
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 3.0.1 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 0 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Luigino Camastra / Aisle Research Jakub Witczak Michał Wąsowski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:02:31.222384Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:02:38.388Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "ssh",
              "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:is_within_root/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5.5.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.2.11.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "5.1.4.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "3.0.1",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ssh_sftpd"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/ssh/src/ssh_sftpd.erl"
              ],
              "programRoutines": [
                {
                  "name": "ssh_sftpd:is_within_root/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.9",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "27688a824f753d4c16371dc70e88753fb410590b",
                      "status": "unaffected"
                    },
                    {
                      "at": "9e0ac85d3485e7898e0da88a14be0ee2310a3b28",
                      "status": "unaffected"
                    },
                    {
                      "at": "5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when \u003ctt\u003essh_sftpd\u003c/tt\u003e is included in the \u003ctt\u003esubsystems\u003c/tt\u003e option with a \u003ctt\u003eroot\u003c/tt\u003e parameter and there exist sibling directories sharing the same name prefix as the root."
                }
              ],
              "value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when ssh_sftpd is included in the subsystems option with a root parameter and there exist sibling directories sharing the same name prefix as the root."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.18",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.9",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.1",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Luigino Camastra / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jakub Witczak"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Micha\u0142 W\u0105sowski"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:is_within_root/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe SFTP server uses string prefix matching via \u003ctt\u003elists:prefix/2\u003c/tt\u003e rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to \u003ctt\u003e/home/user1\u003c/tt\u003e, paths like \u003ctt\u003e/home/user10\u003c/tt\u003e or \u003ctt\u003e/home/user1_backup\u003c/tt\u003e would incorrectly be considered within the root.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\n\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:40.808Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-23942.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-23942"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SFTP root escape via component-agnostic prefix check in ssh_sftpd",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eUse directory naming conventions that avoid common prefixes (e.g., \u003ctt\u003e/home/users/alice/\u003c/tt\u003e instead of \u003ctt\u003e/home/user1/\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\n* Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/)."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-23942",
        "datePublished": "2026-03-13T09:11:56.424Z",
        "dateReserved": "2026-01-19T14:23:14.343Z",
        "dateUpdated": "2026-05-27T15:41:40.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }