{"id":"CVE-2026-23943","details":"Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.","aliases":["EEF-CVE-2026-23943","GHSA-c836-qprm-jw9r"],"modified":"2026-05-07T08:59:15.515930924Z","published":"2026-03-13T19:54:15.783Z","related":["SUSE-SU-2026:1714-1","SUSE-SU-2026:21374-1","openSUSE-SU-2026:20607-1"],"references":[{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"0"},{"fixed":"0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"}]},{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"0"},{"fixed":"43a87b949bdff12d629a8c34146711d9da93b1b1"}]},{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"0"},{"fixed":"93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"}]}],"versions":["OTP-17.0","OTP-18.0","OTP-18.0-rc1","OTP-19.0","OTP-19.0-rc1","OTP-19.0-rc2","OTP-20.0","OTP-20.0-rc1","OTP-20.0-rc2","OTP-21.0","OTP-21.0-rc1","OTP-21.0-rc2","OTP-22.0","OTP-22.0-rc1","OTP-22.0-rc2","OTP-22.0-rc3","OTP-23.0","OTP-23.0-rc1","OTP-23.0-rc2","OTP-23.0-rc3","OTP-24.0","OTP-24.0-rc1","OTP-24.0-rc2","OTP-24.0-rc3","OTP-25.0","OTP-25.0-rc1","OTP-25.0-rc2","OTP-25.0-rc3","OTP-26.0","OTP-26.0-rc1","OTP-26.0-rc2","OTP-26.0-rc3","OTP-26.1","OTP-26.2","OTP-26.2.3","OTP-26.2.4","OTP-26.2.5","OTP-26.2.5.1","OTP-26.2.5.10","OTP-26.2.5.11","OTP-26.2.5.12","OTP-26.2.5.13","OTP-26.2.5.14","OTP-26.2.5.15","OTP-26.2.5.16","OTP-26.2.5.17","OTP-26.2.5.2","OTP-26.2.5.3","OTP-26.2.5.4","OTP-26.2.5.5","OTP-26.2.5.6","OTP-26.2.5.7","OTP-26.2.5.8","OTP-26.2.5.9","OTP-27.0","OTP-27.0-rc1","OTP-27.0-rc2","OTP-27.0-rc3","OTP-27.1","OTP-27.2","OTP-27.3","OTP-27.3.1","OTP-27.3.2","OTP-27.3.3","OTP-27.3.4","OTP-27.3.4.1","OTP-27.3.4.2","OTP-27.3.4.3","OTP-27.3.4.4","OTP-27.3.4.5","OTP-27.3.4.6","OTP-27.3.4.7","OTP-27.3.4.8","OTP-28.0","OTP-28.0-rc1","OTP-28.0-rc2","OTP-28.0-rc3","OTP-28.0-rc4","OTP-28.1","OTP-28.4","OTP_17.0-rc1","OTP_17.0-rc2","OTP_R13B03","OTP_R13B04","OTP_R14A","OTP_R14B","OTP_R14B01","OTP_R14B02","OTP_R14B03","OTP_R15A","OTP_R15B","OTP_R16A_RELEASE_CANDIDATE","OTP_R16B","patch-base-26","patch-base-27"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23943.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}