CVE-2026-23943 Erlang CVE debrief

Who should care

Operators and developers running Erlang/OTP SSH services, especially internet-exposed deployments and systems with limited memory. Security teams responsible for remote administration, automation, or appliance-style services built on OTP's ssh application should also prioritize review.

Technical summary

The issue is an improper handling of highly compressed data (CWE-409) in lib/ssh/src/ssh_transport.erl, specifically ssh_transport:decompress/2 and ssh_transport:handle_packet_part/4. According to the CVE description, the SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit. Two compression modes are relevant: zlib activates immediately after key exchange, enabling unauthenticated attacks, while [email protected] activates post-authentication. The supplied description states that a single SSH packet can expand from about 256 KB on the wire to roughly 255 MB in memory, and that repeated packets can rapidly consume available memory and crash the service. NVD lists affected OTP ranges from 17.0 up to 28.4.1, 27.3.4.9, and 26.2.5.18, with corresponding ssh versions 3.0.1 through 5.5.1, 5.2.11.6, and 5.1.4.14.

Defensive priority

High for internet-facing SSH services; the impact is network-reachable availability loss through resource depletion, with especially strong risk on memory-constrained hosts.

Recommended defensive actions

• Upgrade Erlang/OTP to a fixed release in your supported branch: 28.4.1, 27.3.4.9, or 26.2.5.18.
• If you track the ssh application separately, move to the corresponding fixed ssh versions: 5.5.1, 5.2.11.6, or 5.1.4.14.
• Review whether SSH compression is needed in your environment and disable legacy compression where operationally feasible until patched.
• Prioritize exposed systems and constrained environments, since repeated compressed packets can trigger memory exhaustion and OOM kills.
• After remediation, monitor for abnormal SSH-related memory growth, process restarts, or OOM events during the change window.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and official references. NVD classifies the weakness as CWE-409 and provides the affected OTP and ssh version ranges. The reference set includes the ERLEF CNA advisory, the GitHub OTP patch commits, the GitHub security advisory, OSV, and Erlang version-order documentation.

Official resources