CVE-2025-30211
published 2025-03-28CVE-2025-30211: Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.44%
34.8th percentile
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:25.2.3+dfsg-1+deb12u1 (bookworm) | erlang 1:25.2.3+dfsg-1+deb12u1 (bookworm) |
| erlang | otp | < OTP-27.3.1 | OTP-27.3.1 |
| erlang | otp | < OTP-26.2.5.10 | OTP-26.2.5.10 |
| erlang | otp | < OTP-25.3.2.19 | OTP-25.3.2.19 |
| msrc | azl3_erlang_26.2.5.10-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_erlang_26.2.5.9-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_erlang_25.2-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_erlang_25.2-4_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Erlang vulnerability
vendor_ubuntu·2025-04-08
CVE-2025-30211 Erlang vulnerability
Title: Erlang vulnerability
Summary: Erlang could be made to consume large amount of memory.
It was discovered that Erlang OTP's SSH module did not limit the size of
certain data in initialization messages. An attacker could possibly use
this issue to consume large amount of memory leading to a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
erlang: KEX init error results with excessive memory usage
vendor_redhat·2025-03-28·CVSS 7.5
CVE-2025-30211 [HIGH] CWE-789 erlang: KEX init error results with excessive memory usage
erlang: KEX init error results with excessive memory usage
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
A flaw was found in Erlang/OTP. This vulnerability allows an attacker to ca
Microsoft
KEX init error results with excessive memory usage
vendor_msrc·2025-03-11·CVSS 7.5
CVE-2025-30211 [HIGH] CWE-789 KEX init error results with excessive memory usage
KEX init error results with excessive memory usage
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://lear
Debian
CVE-2025-30211: erlang - Erlang/OTP is a set of libraries for the Erlang programming language. Prior to v...
vendor_debian·2025·CVSS 7.5
CVE-2025-30211 [HIGH] CVE-2025-30211: erlang - Erlang/OTP is a set of libraries for the Erlang programming language. Prior to v...
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Scope: local
bookworm: resolved (fixed in 1:25.2.3+dfsg-1+deb12u1)
bullseye: resolved (fixed in 1:23.2.6+dfsg-1+deb11u2)
forky: resolved
OSV
CVE-2025-30211: Erlang/OTP is a set of libraries for the Erlang programming language
osv·2025-03-28·CVSS 7.5
CVE-2025-30211 [HIGH] CVE-2025-30211: Erlang/OTP is a set of libraries for the Erlang programming language
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-28
Published