CVE-2026-55950 (GCVE-0-2026-55950)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI
Title
DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions
Summary
Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. A DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux's internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker's. The attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener. This vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl. This issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 10.9 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Erlang OTP Affected: 25.3 , < * (otp)
Affected: 44dcb4c3d900777493ce2a6129f451aa475811f9 , < e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Ingela Anderton Andin Dan Gudmundsson
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55950",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:25:47.169172Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:25:53.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "dtls_packet_demux"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/dtls_packet_demux.erl"
          ],
          "programRoutines": [
            {
              "name": "dtls_packet_demux:handle_call/3"
            },
            {
              "name": "dtls_packet_demux:handle_info/2"
            },
            {
              "name": "dtls_packet_demux:new_connection/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.7.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.6.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "10.9",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "dtls_packet_demux"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssl/src/dtls_packet_demux.erl"
          ],
          "programRoutines": [
            {
              "name": "dtls_packet_demux:handle_call/3"
            },
            {
              "name": "dtls_packet_demux:handle_info/2"
            },
            {
              "name": "dtls_packet_demux:new_connection/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "25.3",
              "versionType": "otp"
            },
            {
              "lessThan": "e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04",
              "status": "affected",
              "version": "44dcb4c3d900777493ce2a6129f451aa475811f9",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe application must accept incoming DTLS connections via \u003ctt\u003essl:listen/2\u003c/tt\u003e with a UDP-based transport. TLS-only deployments are not affected.\u003c/p\u003e"
            }
          ],
          "value": "The application must accept incoming DTLS connections via ssl:listen/2 with a UDP-based transport. TLS-only deployments are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "versionStartIncluding": "25.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Dan Gudmundsson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTime-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (\u003ctt\u003edtls_packet_demux\u003c/tt\u003e module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\u003c/p\u003e\u003cp\u003eA DTLS server listener uses a single shared \u003ctt\u003edtls_packet_demux\u003c/tt\u003e \u003ctt\u003egen_server\u003c/tt\u003e process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple \u003ctt\u003eClientHello\u003c/tt\u003e messages in quick succession), a race condition in the demux\u0027s internal \u003ctt\u003egb_trees\u003c/tt\u003e key-value store causes a \u003ctt\u003e{key_exists, {old, Client}}\u003c/tt\u003e crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\u003c/p\u003e\u003cp\u003eThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid \u003ctt\u003eClientHello\u003c/tt\u003e messages from the same source IP and port before the intermediate \u003ctt\u003eDOWN\u003c/tt\u003e monitor message is processed by the \u003ctt\u003egen_server\u003c/tt\u003e. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/dtls_packet_demux.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.\u003c/p\u003e"
            }
          ],
          "value": "Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\n\nA DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux\u0027s internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\n\nThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.\n\nThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-29",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:29:33.147Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-55950.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55950"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-55950",
    "datePublished": "2026-07-02T16:06:24.783Z",
    "dateReserved": "2026-06-17T17:55:15.685Z",
    "dateUpdated": "2026-07-03T04:29:33.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-55950",
      "date": "2026-07-03",
      "epss": "0.00406",
      "percentile": "0.32537"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-55950\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-07-02T17:17:02.910\",\"lastModified\":\"2026-07-02T18:16:49.540\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\\n\\nA DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux\u0027s internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\\n\\nThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\\n\\nThis vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.\\n\\nThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.\"}],\"affected\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"affectedData\":[{\"vendor\":\"Erlang\",\"product\":\"OTP\",\"defaultStatus\":\"unaffected\",\"packageName\":\"ssl\",\"cpes\":[\"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\"],\"modules\":[\"dtls_packet_demux\"],\"programFiles\":[\"src/dtls_packet_demux.erl\"],\"programRoutines\":[{\"name\":\"dtls_packet_demux:handle_call/3\"},{\"name\":\"dtls_packet_demux:handle_info/2\"},{\"name\":\"dtls_packet_demux:new_connection/2\"}],\"repo\":\"https://github.com/erlang/otp\",\"packageURL\":\"pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git\",\"versions\":[{\"version\":\"10.9\",\"lessThan\":\"*\",\"versionType\":\"otp\",\"status\":\"affected\",\"changes\":[{\"at\":\"11.7.3\",\"status\":\"unaffected\"},{\"at\":\"11.6.0.3\",\"status\":\"unaffected\"},{\"at\":\"11.2.12.10\",\"status\":\"unaffected\"}]}]},{\"vendor\":\"Erlang\",\"product\":\"OTP\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://github.com\",\"packageName\":\"erlang/otp\",\"cpes\":[\"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\"],\"modules\":[\"dtls_packet_demux\"],\"programFiles\":[\"lib/ssl/src/dtls_packet_demux.erl\"],\"programRoutines\":[{\"name\":\"dtls_packet_demux:handle_call/3\"},{\"name\":\"dtls_packet_demux:handle_info/2\"},{\"name\":\"dtls_packet_demux:new_connection/2\"}],\"repo\":\"https://github.com/erlang/otp\",\"packageURL\":\"pkg:github/erlang/otp\",\"versions\":[{\"version\":\"25.3\",\"lessThan\":\"*\",\"versionType\":\"otp\",\"status\":\"affected\",\"changes\":[{\"at\":\"29.0.3\",\"status\":\"unaffected\"},{\"at\":\"28.5.0.3\",\"status\":\"unaffected\"},{\"at\":\"27.3.4.14\",\"status\":\"unaffected\"}]},{\"version\":\"44dcb4c3d900777493ce2a6129f451aa475811f9\",\"lessThan\":\"e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04\",\"versionType\":\"git\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-02T17:25:47.169172Z\",\"id\":\"CVE-2026-55950\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-55950.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/erlang/otp/commit/e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-55950\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://www.erlang.org/doc/system/versions.html#order-of-versions\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55950\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-02T17:25:47.169172Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-02T17:25:49.598Z\"}}], \"cna\": {\"title\": \"DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lukas Backstr\\u00f6m\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Ingela Anderton Andin\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Dan Gudmundsson\"}], \"impacts\": [{\"capecId\": \"CAPEC-29\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/erlang/otp\", \"vendor\": \"Erlang\", \"modules\": [\"dtls_packet_demux\"], \"product\": \"OTP\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"11.7.3\", \"status\": \"unaffected\"}, {\"at\": \"11.6.0.3\", \"status\": \"unaffected\"}, {\"at\": \"11.2.12.10\", \"status\": \"unaffected\"}], \"version\": \"10.9\", \"lessThan\": \"*\", \"versionType\": \"otp\"}], \"packageURL\": \"pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git\", \"packageName\": \"ssl\", \"programFiles\": [\"src/dtls_packet_demux.erl\"], \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"dtls_packet_demux:handle_call/3\"}, {\"name\": \"dtls_packet_demux:handle_info/2\"}, {\"name\": \"dtls_packet_demux:new_connection/2\"}]}, {\"cpes\": [\"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/erlang/otp\", \"vendor\": \"Erlang\", \"modules\": [\"dtls_packet_demux\"], \"product\": \"OTP\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"29.0.3\", \"status\": \"unaffected\"}, {\"at\": \"28.5.0.3\", \"status\": \"unaffected\"}, {\"at\": \"27.3.4.14\", \"status\": \"unaffected\"}], \"version\": \"25.3\", \"lessThan\": \"*\", \"versionType\": \"otp\"}, {\"status\": \"affected\", \"version\": \"44dcb4c3d900777493ce2a6129f451aa475811f9\", \"lessThan\": \"e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/erlang/otp\", \"packageName\": \"erlang/otp\", \"programFiles\": [\"lib/ssl/src/dtls_packet_demux.erl\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"dtls_packet_demux:handle_call/3\"}, {\"name\": \"dtls_packet_demux:handle_info/2\"}, {\"name\": \"dtls_packet_demux:new_connection/2\"}]}], \"references\": [{\"url\": \"https://github.com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-55950.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-55950\", \"tags\": [\"related\"]}, {\"url\": \"https://www.erlang.org/doc/system/versions.html#order-of-versions\", \"tags\": [\"x_version-scheme\"]}, {\"url\": \"https://github.com/erlang/otp/commit/e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\\n\\nA DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux\u0027s internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\\n\\nThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\\n\\nThis vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.\\n\\nThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eTime-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (\u003ctt\u003edtls_packet_demux\u003c/tt\u003e module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\u003c/p\u003e\u003cp\u003eA DTLS server listener uses a single shared \u003ctt\u003edtls_packet_demux\u003c/tt\u003e \u003ctt\u003egen_server\u003c/tt\u003e process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple \u003ctt\u003eClientHello\u003c/tt\u003e messages in quick succession), a race condition in the demux\u0027s internal \u003ctt\u003egb_trees\u003c/tt\u003e key-value store causes a \u003ctt\u003e{key_exists, {old, Client}}\u003c/tt\u003e crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\u003c/p\u003e\u003cp\u003eThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid \u003ctt\u003eClientHello\u003c/tt\u003e messages from the same source IP and port before the intermediate \u003ctt\u003eDOWN\u003c/tt\u003e monitor message is processed by the \u003ctt\u003egen_server\u003c/tt\u003e. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/dtls_packet_demux.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"The application must accept incoming DTLS connections via ssl:listen/2 with a UDP-based transport. TLS-only deployments are not affected.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe application must accept incoming DTLS connections via \u003ctt\u003essl:listen/2\u003c/tt\u003e with a UDP-based transport. TLS-only deployments are not affected.\u003c/p\u003e\", \"base64\": false}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"27.3.4.14\", \"versionStartIncluding\": \"25.3\"}, {\"criteria\": \"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"28.5.0.3\", \"versionStartIncluding\": \"28.0\"}, {\"criteria\": \"cpe:2.3:a:erlang:erlang\\\\/otp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"29.0.3\", \"versionStartIncluding\": \"29.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-07-03T04:29:33.147Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55950\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-03T04:29:33.147Z\", \"dateReserved\": \"2026-06-17T17:55:15.685Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-07-02T16:06:24.783Z\", \"assignerShortName\": \"EEF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…