PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54886 Erlang CVE debrief

CVE-2026-54886 is an infinite loop vulnerability in the Erlang OTP SSH (ssh_sftpd module). An authenticated SFTP user can render an SFTP channel permanently unresponsive by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the SFTP packet size limit. The vulnerability affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.

Vendor
Erlang
Product
OTP
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Users of Erlang OTP SSH, particularly those using SFTP, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of OTP and limiting the number of channels per connection.

Technical summary

The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.

Defensive priority

High

Recommended defensive actions

  • Upgrade to a patched version of OTP
  • Limit the number of channels per connection
  • Monitor SFTP channel activity for suspicious behavior
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. The CVE record was published on 2026-07-02T17:17:02.387Z and modified on 2026-07-07T14:53:35.410Z.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T17:17:02.387Z and has not been modified since then.