Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with low complexity, requires authenticated access (PR:L); no confidentiality or integrity impact; availability limited to channel/process level with BEAM scheduler preventing full node starvation.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.
The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.
The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.
The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.
Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.
No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.
This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.
This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
AnalysisAI
Infinite loop denial-of-service in Erlang OTP's ssh_sftpd module allows an authenticated SFTP user to permanently freeze individual SFTP channel processes by sending SSH_MSG_CHANNEL_EXTENDED_DATA frames. The affected function handle_data/4 tail-calls itself indefinitely when it receives extended-data channel messages (type != 0) with an empty pending buffer, because the SFTP protocol never expects such messages and the catch-all clause has no exit condition for them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated SFTP session on an Erlang OTP SSH server running an affected OTP version with the ssh_sftpd subsystem enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L) reflects a network-accessible, low-complexity flaw requiring authenticated access, with availability impact limited to the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with valid SFTP credentials connects to an OTP SSH server and opens one or more SFTP subsystem channels. Instead of sending normal SFTP requests, they transmit SSH_MSG_CHANNEL_EXTENDED_DATA frames with any non-zero data_type_code and a non-empty payload below the SFTP packet size limit. … |
| Remediation | Upgrade Erlang OTP to one of the patched releases: 29.0.3, 28.5.0.3, or 27.3.4.14, which contain the fix committed at https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation
Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by
Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker cra
Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts
Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches
Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responde
Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificat
Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att
Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding
The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-base
Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote at
Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APP
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41413