CVE-2025-26618 in otp
Summary
by MITRE • 02/20/2025
Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang. Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets (conforming to max SSH packet size) are received by ssh, they might be combined into an SFTP packet which will exceed the max allowed packet size and potentially cause large amount of memory to be allocated. Note that situation described above can only happen for successfully authenticated users after completing the SSH handshake. This issue has been patched in OTP versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known workarounds for this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/07/2025
This vulnerability resides within the Erlang Open Telecom Platform implementation where improper validation of packet sizes in SFTP packet processing creates a potential memory exhaustion risk. The flaw specifically affects the SSH subsystem's handling of packet concatenation, where multiple legitimate SSH packets that individually conform to maximum packet size limits can be aggregated into a single SFTP packet that exceeds the allowed size threshold. This represents a classic buffer over-read and memory allocation manipulation scenario that exploits the trust relationship established during successful SSH authentication.
The technical execution of this vulnerability requires an attacker to first establish a successful SSH connection and complete the authentication handshake, as the issue only manifests post-authentication. Once authenticated, the attacker can leverage the packet concatenation logic to cause the system to allocate excessive memory resources, potentially leading to denial of service conditions or system instability. The vulnerability stems from inadequate input validation within the SFTP packet processing layer, where the system fails to properly verify that combined packet sizes remain within acceptable bounds despite individual packets being valid.
From a cybersecurity perspective, this vulnerability aligns with CWE-129 Input Validation and CWE-772 Insufficient Resource Management, as it involves improper validation of packet sizes and excessive memory allocation without adequate bounds checking. The attack vector falls under the MITRE ATT&CK framework category of privilege escalation and resource exhaustion, where authenticated users can leverage their session to cause system-level memory issues. The impact is particularly concerning because it operates within the core runtime system of Erlang/OTP, which is designed for high availability and fault tolerance, making such memory exhaustion attacks particularly disruptive to system operations.
The patching strategy addresses this through version updates in OTP releases 27.2.4, 26.2.5.9, and 25.3.2.18, which implement proper packet size validation and memory allocation bounds checking. Organizations utilizing Erlang/OTP systems should prioritize immediate upgrade to these patched versions to mitigate the risk. The vulnerability's remediation demonstrates the importance of proper input validation in network protocol implementations and highlights the need for comprehensive testing of packet aggregation scenarios. Without workarounds available, the primary defense mechanism relies on timely patch management and system updates to prevent exploitation of this memory allocation vulnerability that could compromise system availability and stability.