Infinite loop in otp - CVE-2026-54886

 

Infinite loop in otp - CVE-2026-54886

Published: July 2, 2026


Vulnerability identifier: #VU136826
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54886
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: erlang
Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to an infinite loop in handle_data/4 in ssh_sftpd.erl when processing SSH_MSG_CHANNEL_EXTENDED_DATA on an established SFTP channel. A remote user can send a specially crafted extended data message to cause a denial of service.

The issue affects targeted SFTP channel processes, which become permanently unresponsive while continuing to consume CPU time and accumulate unbounded message queue memory. Opening many channels can amplify the impact.


How to mitigate CVE-2026-54886

Install security update from vendor's website.

Sources