CVE-2025-30211

HIGH

Erlang/OTP <27.3.1, 26.2.5.10, 25.3.2.19 - Memory Corruption

Title source: llm

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.

References (2)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html

[Vendor Advisory] https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc

Scores

CVSS v3 7.5

EPSS 0.0055

EPSS Percentile 68.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-789

Status published

Products (3)

erlang/otp < OTP-25.3.2.19

erlang/otp < OTP-26.2.5.10

erlang/otp < OTP-27.3.1

Published Mar 28, 2025

Tracked Since Feb 18, 2026