Improper Validation of Specified Quantity in Input in otp - CVE-2026-55952
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in input in the TLS-1.3 session ticket handler when processing a malformed ClientHello with mismatched PSK identity and binder list lengths. A remote attacker can send a specially crafted ClientHello message to cause a denial of service.
Only TLS-1.3 servers with session tickets enabled are vulnerable. TLS-1.2 connections are not affected.