Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Single unauthenticated network ClientHello triggers it (AV:N/AC:L/PR:N/UI:N); impact is availability-only DoS of TLS 1.3 tickets, so C:N/I:N/A:H and scope unchanged.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process.
An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.
This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
AnalysisAI
Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches) lets an unauthenticated remote attacker permanently disable TLS 1.3 session ticket handling on a listener with a single crafted ClientHello. Because the pre-shared key extension's identity list and binder list are not length-checked before being handed to the session ticket handler, a mismatched OfferedPreSharedKeys record crashes that process, causing all subsequent TLS 1.3 handshakes to fail at ticket issuance until the ssl application is restarted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to run a TLS 1.3 server on affected Erlang/OTP with session ticket handling enabled - either stateful or stateless mode - since the crash occurs in tls_server_session_ticket:use/4 when the server processes the PSK extension. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are consistent and point to a real, easily triggered availability threat with no confidentiality or integrity exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker who can reach a TLS 1.3 listener with session tickets enabled sends a single crafted ClientHello whose pre-shared key extension carries an unequal number of PSK identities and binders. This crashes the tls_server_session_ticket handler process, and thereafter every TLS 1.3 handshake fails when the server attempts to issue a ticket, taking TLS 1.3 offline until the ssl application is restarted. … |
| Remediation | Upgrade Erlang/OTP to a fixed release: Vendor-released patch: OTP 29.0.3 (ssl 11.7.3), or on the maintenance branches OTP 28.5.0.3 (ssl 11.6.0.3) or 27.3.4.14 (ssl 11.2.12.10); choose the fixed version on your current major line to minimize disruption. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Erlang/OTP versions 22.2-29.0.3, 28.5.x, or 27.3.x. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by
Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker cra
Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts
Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responde
Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificat
Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att
Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding
Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote at
Erlang/OTP kernel inet_res DNS resolver uses predictable sequential transaction IDs and lacks source port randomization,
SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the
Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APP
The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-base
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41412