CVE-2026-23943: Pre-auth SSH DoS via unbounded zlib inflate

Published Mar 13, 2026
·
Updated

Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS. Two compression algorithms are affected: * zlib: Activates immediately after key exchange, enabling unauthenticated attacks * zlib@openssh.com: Activates post-authentication, enabling authenticated attacks Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments. This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4. This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.

Affected Software

10 affected componentsFixes available
Erlang Solutions Erlang/OTP>=17.0<28.4.1
Erlang Solutions SSH>=3.0.1<5.5.1
Microsoft azl3 erlang 26.2.5.17-1
Patch available
Microsoft cbl2 erlang 25.3.2.21-4
Patch available
Erlang Erlang\/otp>=17.0<26.2.5.18
Erlang Erlang\/otp>=27.0<27.3.4.9
Erlang Erlang\/otp>=28.0<28.4.1
Erlang Erlang\/ssh>=3.0.1<5.1.4.14
Erlang Erlang\/ssh>=5.2<5.2.11.6
Erlang Erlang\/ssh>=5.5<=5.5.1

Remediation

Patch Available

https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4

Patch Available

https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1

Patch Available

https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3

Event History

Mar 13, 2026
CVE Published
via MITRE·09:11 AM
Data Sourced
via MITRE·09:11 AM
DescriptionWeakness
Data Sourced
via NVD·07:54 PM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 17, 2026
Data Sourced
via Microsoft·08:02 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:02 AM
Affected Software
Updated
via Microsoft·08:02 AM
DescriptionSeverity
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-23943?

CVE-2026-23943 has been classified as a Denial of Service vulnerability due to resource depletion.

2

How do I fix CVE-2026-23943?

To mitigate CVE-2026-23943, update your Erlang/OTP and SSH versions to versions higher than the affected ones.

3

What types of systems are affected by CVE-2026-23943?

CVE-2026-23943 affects Erlang/OTP versions from 17.0 to 28.4.1 and SSH versions from 3.0.1 to 5.5.1.

4

Can CVE-2026-23943 be exploited remotely?

Yes, CVE-2026-23943 can be exploited remotely through a pre-authentication SSH connection.

5

What is the nature of the attack vector for CVE-2026-23943?

CVE-2026-23943 is exploited via unbounded zlib inflate leading to denial of service from highly compressed data.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203