CVE-2026-23943: Erlang OTP SSH Compression Bomb DoS Flaw

CVE-2026-23943 Overview

CVE-2026-23943 is a Denial of Service vulnerability affecting Erlang OTP SSH modules caused by improper handling of highly compressed data (compression bomb). The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion attacks.

This vulnerability affects the ssh_transport modules in Erlang OTP, specifically the ssh_transport:decompress/2 and ssh_transport:handle_packet_part/4 routines in lib/ssh/src/ssh_transport.erl. Two compression algorithms are impacted with different attack surfaces:

• zlib: Activates immediately after key exchange, enabling unauthenticated attacks
• zlib@openssh.com: Activates post-authentication, enabling authenticated attacks

Each SSH packet can decompress approximately 255 MB from 256 KB of wire data, achieving a 1029:1 amplification ratio. Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.

Critical Impact

Unauthenticated attackers can trigger memory exhaustion DoS on Erlang SSH servers with zlib compression enabled, requiring no credentials due to pre-authentication decompression.

Affected Products

• Erlang OTP versions 17.0 through 28.4.1
• Erlang OTP ssh versions 3.0.1 through 5.5.1
• Systems using Erlang OTP ssh with zlib compression enabled (default configuration prior to patch)

Discovery Timeline

• 2026-03-13 - CVE CVE-2026-23943 published to NVD
• 2026-03-16 - Last updated in NVD database

Technical Details for CVE-2026-23943

Vulnerability Analysis

The vulnerability exists in how Erlang OTP's SSH implementation handles compressed data during the transport layer. The core issue is that the ssh_transport:decompress/2 function inflates incoming compressed payloads without enforcing any maximum decompressed size limit. This allows an attacker to craft specially designed compressed payloads that expand to enormous sizes when decompressed.

The zlib compression algorithm is particularly dangerous because it activates immediately after the SSH key exchange phase, before any authentication occurs. This means an attacker can initiate an SSH connection, complete the key exchange, and then begin sending malicious compressed packets without ever providing credentials. The zlib@openssh.com variant offers some protection since it only activates post-authentication, but authenticated users can still exploit it.

Root Cause

The root cause lies in CWE-409: Improper Handling of Highly Compressed Data (Compression Bomb). The vulnerable code path in ssh_transport.erl performs decompression without checking the resulting output size against any threshold. When processing incoming SSH packets, the handle_packet_part/4 routine calls the decompression function which blindly expands all compressed data into memory. The default algorithm configuration also included zlib in the enabled compression algorithms list, exposing servers to unauthenticated attacks by default.

Attack Vector

The attack is network-accessible and requires no authentication when targeting the zlib compression algorithm. An attacker establishes an SSH connection to a vulnerable Erlang OTP SSH server and completes the key exchange phase. During negotiation, if zlib compression is advertised and selected, the attacker can immediately begin sending compression bomb payloads.

The attack sequence involves:

1. Connecting to the target SSH server
2. Completing key exchange with zlib compression negotiated
3. Sending multiple 256 KB compressed payloads
4. Each payload decompresses to ~255 MB in server memory
5. Repeated packets quickly exhaust available memory, triggering OOM conditions

// Security patch removing zlib from default compression algorithms
// Source: https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4

 	<list type="bulleted">
 	  <item>none</item>
 	  <item>zlib@openssh.com</item>
-	  <item>zlib</item>
 	</list>
+	<p>The following compression algorithm is disabled by default:</p>
+	<list>
+	  <item>(zlib)</item>
+	</list>
+	<p>It can be enabled with the
+	<seetype marker="ssh:ssh#preferred_algorithms_common_option">preferred_algorithms</seetype>
+	or
+	<seetype marker="ssh:ssh#modify_algorithms_common_option">modify_algorithms</seetype>
+	options.
+	</p>

The patch also adds explicit size checking after decompression:

// Security patch adding decompression size limit check
// Source: https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1

    {error, exceeds_max_decompressed_size} ->
            {Shutdown, D} =
                ?send_disconnect(?SSH_DISCONNECT_PROTOCOL_ERROR,
                                 "Bad packet: Size after decompression exceeds max size",
                                 StateName, D0),
            {stop, Shutdown, D}

Detection Methods for CVE-2026-23943

Indicators of Compromise

• Unusual memory consumption spikes on systems running Erlang SSH servers
• SSH connections that complete key exchange but fail authentication repeatedly while consuming significant memory
• OOM (Out of Memory) killer events affecting Erlang BEAM processes
• Abnormally large SSH packet sizes during decompression operations
• High volume of SSH connections from single sources negotiating zlib compression

Detection Strategies

• Monitor Erlang BEAM process memory usage for sudden unexplained growth patterns
• Implement network-level detection for SSH sessions negotiating zlib compression followed by high data volume
• Deploy application-level logging to track compression algorithm negotiation in SSH handshakes
• Configure alerts for OOM events affecting SSH-related Erlang processes

Monitoring Recommendations

• Enable detailed SSH session logging to capture compression algorithm negotiation
• Set up memory threshold alerts for Erlang VM processes handling SSH connections
• Monitor network traffic for SSH connections with disproportionate data transfer ratios
• Implement rate limiting on incoming SSH connections per source IP

How to Mitigate CVE-2026-23943

Immediate Actions Required

• Upgrade Erlang OTP to patched versions: 28.4.1, 27.3.4.9, or 26.2.5.18 (corresponding ssh versions: 5.5.1, 5.2.11.6, or 5.1.4.14)
• If immediate patching is not possible, disable zlib compression in SSH configuration using preferred_algorithms or modify_algorithms options
• Review SSH server configurations to verify compression settings
• Monitor for exploitation attempts targeting SSH services

Patch Information

Security patches are available through three commits addressing different OTP release branches:

• GitHub Commit 0c1c04b - OTP 26 maintenance branch
• GitHub Commit 43a87b9 - OTP 27 maintenance branch
• GitHub Commit 93073c3 - OTP 28 maintenance branch

The patches implement two key fixes: removing zlib from the default compression algorithms list and adding a maximum decompressed size check that disconnects clients with SSH_DISCONNECT_PROTOCOL_ERROR when exceeded.

For complete details, see the GitHub Security Advisory GHSA-c836-qprm-jw9r.

Workarounds

• Disable zlib compression entirely by configuring SSH to use only none or zlib@openssh.com compression
• Implement network-level rate limiting for SSH connections
• Deploy resource limits (cgroups, ulimits) on Erlang BEAM processes to contain memory exhaustion impact
• Use firewall rules to restrict SSH access to trusted networks only

% Disable vulnerable zlib compression in Erlang SSH configuration
% Use modify_algorithms to explicitly remove zlib from compression options
ssh:daemon(22, [
    {modify_algorithms, [
        {rm, [{compression, ['zlib']}]}
    ]}
]).

% Alternative: Use preferred_algorithms to specify only safe compression
ssh:daemon(22, [
    {preferred_algorithms, [
        {compression, [{client2server, [none, 'zlib@openssh.com']},
                       {server2client, [none, 'zlib@openssh.com']}]}
    ]}
]).