PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48859 Erlang CVE debrief

CVE-2026-48859 is a medium-severity vulnerability in Erlang/OTP SSH. The vulnerability, known as an Observable Timing Discrepancy, allows an unauthenticated remote attacker to enumerate valid usernames via a timing side-channel in password authentication. The issue arises when the SSH daemon is configured with the user_passwords or password option, causing ssh_auth:check_password/3 to perform a PBKDF2-SHA256 computation with 600,000 iterations for valid usernames, but return immediately for invalid usernames. This timing difference is detectable in a single authentication attempt.

Vendor
Erlang
Product
OTP
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Users of Erlang/OTP SSH, particularly those who have configured the SSH daemon with the user_passwords or password option, should be aware of this vulnerability. The recommended alternative, pwdfun, is not affected.

Technical summary

The vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. It affects OTP from OTP 29.0 before 29.0.2, corresponding to ssh from 6.0 before 6.0.1.

Defensive priority

medium

Recommended defensive actions

  • Update to OTP 29.0.2 or later, or ssh 6.0.1 or later.
  • Consider using the pwdfun option instead of user_passwords or password.

Evidence notes

The CVE record and details are sourced from official databases and vendor advisories.

Official resources

CVE-2026-48859 was published on 2026-06-10T16:17:12.373Z and modified on 2026-06-10T20:19:35.917Z.