PatchSiren cyber security CVE debrief
CVE-2026-54886 Erlang CVE debrief
CVE-2026-54886 is an infinite loop vulnerability in the Erlang OTP SSH (ssh_sftpd module). An authenticated SFTP user can render an SFTP channel permanently unresponsive by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the SFTP packet size limit. The vulnerability affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
- Vendor
- Erlang
- Product
- OTP
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-02
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-02
- Advisory updated
- 2026-07-07
Who should care
Users of Erlang OTP SSH, particularly those using SFTP, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of OTP and limiting the number of channels per connection.
Technical summary
The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.
Defensive priority
High
Recommended defensive actions
- Upgrade to a patched version of OTP
- Limit the number of channels per connection
- Monitor SFTP channel activity for suspicious behavior
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. The CVE record was published on 2026-07-02T17:17:02.387Z and modified on 2026-07-07T14:53:35.410Z.
Official resources
-
CVE-2026-54886 CVE record
CVE.org
-
CVE-2026-54886 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Mitigation, Third Party Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Release Notes
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T17:17:02.387Z and has not been modified since then.