2355785 – (CVE-2025-30211) CVE-2025-30211 erlang: KEX init error results with excessive memory usage

Bug 2355785 (CVE-2025-30211) - CVE-2025-30211 erlang: KEX init error results with excessive memory usage

Summary: CVE-2025-30211 erlang: KEX init error results with excessive memory usage

Keywords:
Status:	NEW
Alias:	CVE-2025-30211
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2356153 2356154 2356155 2356156
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-28 15:01 UTC by OSIDB Bzimport
Modified:	2025-03-31 13:05 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-28 15:01:22 UTC

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.

Note You need to log in before you can comment on or make changes to this bug.