Debian update for erlang
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-48795 CVE-2025-26618 CVE-2025-30211 CVE-2025-32433 |
| CWE-ID | CWE-326 CWE-789 CWE-306 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Vulnerability #4 is being exploited in the wild. |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system erlang (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Inadequate encryption strength
EUVDB-ID: #VU84537
Risk: Low
CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-48795
CWE-ID:
CWE-326 - Inadequate Encryption Strength
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.
The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.
Update erlang package to version 1:25.2.3+dfsg-1+deb12u1.
Vulnerable software versionsDebian Linux: All versions
erlang (Debian package): before 1:25.2.3+dfsg-1+deb12u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:erlang_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Uncontrolled memory allocation
EUVDB-ID: #VU106951
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26618
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of SFTP packets. A remote attacker can send multiple SFTP packets to the application and consume large amount of memory, resulting in a denial of service.
Update erlang package to version 1:25.2.3+dfsg-1+deb12u1.
Vulnerable software versionsDebian Linux: All versions
erlang (Debian package): before 1:25.2.3+dfsg-1+deb12u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:erlang_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Uncontrolled Memory Allocation
EUVDB-ID: #VU106381
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-30211
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to implementation does not verify RFC specified limits on algorithm names provided in KEX init message. A remote attacker can cause a denial of service (DoS) condition on the target system.
MitigationUpdate erlang package to version 1:25.2.3+dfsg-1+deb12u1.
Vulnerable software versionsDebian Linux: All versions
erlang (Debian package): before 1:25.2.3+dfsg-1+deb12u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:erlang_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Missing Authentication for Critical Function
EUVDB-ID: #VU107594
Risk: Critical
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2025-32433
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authentication in Erlang/OTP SSH server. A remote non-authenticated attacker can send specially crafted messages to the server and execute arbitrary code on the system.
MitigationUpdate erlang package to version 1:25.2.3+dfsg-1+deb12u1.
Vulnerable software versionsDebian Linux: All versions
erlang (Debian package): before 1:25.2.3+dfsg-1+deb12u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:erlang_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
