Time-of-check Time-of-use (TOCTOU) Race Condition in otp - CVE-2026-55950
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a time-of-check time-of-use race condition in the dtls_packet_demux gen_server process when handling rapid DTLS client reconnects from the same source address and port. A remote attacker can send multiple valid ClientHello datagrams in quick succession to cause a denial of service.
The crash of the shared demultiplexing process terminates all active DTLS sessions on the affected listener, and no completed handshake or credentials are required.