Time-of-check Time-of-use (TOCTOU) Race Condition in otp - CVE-2026-55950

 

Time-of-check Time-of-use (TOCTOU) Race Condition in otp - CVE-2026-55950

Published: July 2, 2026


Vulnerability identifier: #VU136824
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-55950
CWE-ID: CWE-367
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: erlang
Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a time-of-check time-of-use race condition in the dtls_packet_demux gen_server process when handling rapid DTLS client reconnects from the same source address and port. A remote attacker can send multiple valid ClientHello datagrams in quick succession to cause a denial of service.

The crash of the shared demultiplexing process terminates all active DTLS sessions on the affected listener, and no completed handshake or credentials are required.


How to mitigate CVE-2026-55950

Install security update from vendor's website.

Sources