PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55950 Erlang CVE debrief

A high-severity Time-of-check Time-of-use (TOCTOU) race condition vulnerability was discovered in Erlang/OTP ssl, specifically in the dtls_packet_demux module. This vulnerability allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. The attack is pre-authentication and requires the attacker to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. Organizations should prioritize patching this vulnerability to prevent potential denial-of-service attacks.

Vendor
Erlang
Product
OTP
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Organizations using Erlang/OTP versions 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14, or ssl versions 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10 should prioritize patching this vulnerability to prevent potential denial-of-service attacks. This includes operators, platform administrators, vulnerability management teams, and security teams responsible for these systems.

Technical summary

The vulnerability is caused by a race condition in the demux's internal gb_trees key-value store. When a DTLS client reconnects rapidly from the same source address and port, sending multiple ClientHello messages in quick succession, it can cause a {key_exists, {old, Client}} crash, terminating the demux process. This crash immediately kills every active DTLS session on the listener, not just the attacker's. The affected product context includes Erlang/OTP versions 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14, or ssl versions 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates provided by the vendor to vulnerable versions of Erlang/OTP or ssl.
  • Implement compensating controls, such as monitoring and exception tracking, to detect and respond to potential attacks.
  • Consider disabling DTLS or restricting access to DTLS listeners to minimize the attack surface.
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Evidence notes

The CVE record was published on 2026-07-02T17:17:02.910Z and was last modified on 2026-07-07T14:45:59.213Z. The NVD entry is currently Analyzed. This information is based on the supplied source corpus and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the official CVE record and vendor advisories for the most current information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T17:17:02.910Z and has not been modified since then. The NVD entry is currently Analyzed.