Volerion logoVolerion
Volerion logoVolerion

Erlang/OTP KEX Init Message Processing Vulnerability Leading to Excessive Memory Consumption

Vulnerability

A vulnerability exists in Erlang/OTP versions prior to OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19, where a maliciously crafted KEX init message can cause high memory usage. The issue arises because the implementation fails to enforce RFC-specified limits on algorithm name lengths (64 characters) in the KEX init message. This oversight allows large KEX init packets to be processed inefficiently, leading to excessive memory allocation for handling the malicious data.

Impact

Exploitation of this vulnerability causes significant memory consumption, which can lead to performance degradation or application instability.

Remediation

Users can upgrade to Erlang/OTP versions OTP-27.3.1, OTP-26.2.5.10, or OTP-25.3.2.19 to address this vulnerability. Additionally, as a temporary workaround, the `parallel_login` option can be set to `false` and the `max_sessions` option can be reduced.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
6.6
impact
2.5
exploitability
4.7
remediation
8.3
relevance
0.0
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.