Main Vulnerability Database Vulnerabilities #VU106951

Uncontrolled memory allocation in otp - CVE-2025-26618

Published: April 3, 2025

Vulnerability identifier: #VU106951

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-26618

CWE-ID: CWE-789

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: erlang

Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of SFTP packets. A remote attacker can send multiple SFTP packets to the application and consume large amount of memory, resulting in a denial of service.

How to mitigate CVE-2025-26618

Install updates from vendor's website.

Sources

https://erlang.org/download/OTP-27.2.4.README.md
https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872
https://github.com/erlang/otp/security/advisories/GHSA-78cv-45vx-q6fr

Uncontrolled memory allocation in otp - CVE-2025-26618

Detailed vulnerability description

How to mitigate CVE-2025-26618

Sources

Please verify you're human