CVE-2026-55950
Erlang · OTP
A TOCTOU race condition in the Erlang/OTP ssl module allows unauthenticated remote attackers to crash DTLS sessions.
Executive summary
An unauthenticated remote attacker can trigger a denial-of-service condition by exploiting a race condition in the Erlang/OTP DTLS implementation.
Vulnerability
This vulnerability is a Time-of-check Time-of-use (TOCTOU) race condition located in the dtls_packet_demux module. It allows an unauthenticated remote attacker to disrupt communication by crashing active DTLS sessions on a listener.
Business impact
The ability for an unauthenticated attacker to remotely crash DTLS sessions significantly threatens service availability. Given the CVSS score of 8.7, this vulnerability poses a substantial risk to systems relying on Erlang/OTP for secure, real-time communications, potentially causing severe operational downtime.
Remediation
Immediate Action: Apply the latest security patches released by the Erlang/OTP maintainers to address the race condition in the SSL module.
Proactive Monitoring: Monitor server performance and DTLS connection logs for frequent, unexplained session drops or crashes.
Compensating Controls: Where feasible, employ network-level rate limiting or traffic filtering to mitigate the impact of potential exploitation attempts.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations running services powered by Erlang/OTP should verify their current version and apply patches immediately. The remote, unauthenticated nature of this vulnerability makes it an attractive target for service disruption, necessitating prompt remediation to ensure continued service stability.