Erlang OTP SSH Transport Compression Bomb OOM (OTP 17.028.4.1)
CVE-2026-23943 Published on March 13, 2026
Pre-auth SSH DoS via unbounded zlib inflate
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.
The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.
Two compression algorithms are affected:
* zlib: Activates immediately after key exchange, enabling unauthenticated attacks
* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks
Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.
This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Weakness Type
What is a Data Amplification Vulnerability?
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
CVE-2026-23943 has been classified to as a Data Amplification vulnerability or weakness.
Products Associated with CVE-2026-23943
Want to know whenever a new CVE is published for Erlangotp? stack.watch will email you.
Affected Versions
Erlang OTP:- Version 3.0.1 and below * is affected.
- Version pkg:otp/ssh@3.0.1 and below pkg:otp/ssh@* is affected.
- Version 17.0 and below * is affected.
- Version 07b8f441ca711f9812fad9e9115bab3c3aa92f79 and below * is affected.