PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54887 Erlang CVE debrief

The CVE-2026-54887 vulnerability is associated with a Use of Default Cryptographic Key issue in Erlang/OTP ssl (DTLS server). This allows for predictable DTLS cookie computation during the startup window, enabling source address verification bypass. The vulnerability affects OTP versions from 20.0 before 29.0.3, 28.5.0.3, and 27.3.4.14, corresponding to ssl versions 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10. The DTLS cookie is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses. This issue is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3.

Vendor
Erlang
Product
OTP
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Erlang/OTP users with DTLS server configurations, especially those in environments requiring high security and source address verification, should be aware of this vulnerability. This includes operators managing DTLS servers, security teams responsible for vulnerability management, and platform administrators who need to ensure the security of their infrastructure. The vulnerability's impact on these groups is significant because it allows for DTLS handshake amplification with spoofed source addresses, potentially leading to denial-of-service attacks.

Technical summary

The vulnerability allows predictable DTLS cookie computation during the startup window of a DTLS server in Erlang/OTP ssl, enabling source address verification bypass. This is due to the initialization of previous_cookie_secret to an empty binary instead of a random value, making HMAC with an empty key deterministic. The empty binary key leads to a deterministic HMAC output, which can be exploited to forge a valid DTLS cookie. The vulnerability affects OTP 20.0 before 29.0.3, 28.5.0.3, and 27.3.4.14, corresponding to ssl 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10. The DTLS cookie mechanism is intended to prevent spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations.

Defensive priority

Medium priority due to the potential for DTLS handshake amplification with spoofed source addresses.

Recommended defensive actions

  • Update Erlang/OTP to version 29.0.3, 28.5.0.3, or 27.3.4.14, or ssl to version 11.7.3, 11.6.0.3, or 11.2.12.10.
  • Implement compensating controls such as monitoring and exception tracking for suspicious DTLS activity.
  • Consider applying additional security measures like rate limiting for DTLS handshakes.
  • Review and update security configurations for DTLS servers to ensure they are not exposed to untrusted networks.
  • Perform a thorough review of the system to identify any potential exposure and apply mitigations accordingly.
  • Monitor for and respond to potential DTLS handshake amplification attacks.
  • Verify that the patch has been successfully applied and that the system is no longer vulnerable.

Evidence notes

The vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3. Affected versions include OTP 20.0 before 29.0.3, 28.5.0.3, and 27.3.4.14, corresponding to ssl versions 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10. The DTLS cookie mechanism is intended to prevent spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T17:17:02.570Z and has not been modified since then.