CVE-2026-54887
CVE-2026-54887 is a medium-severity vulnerability in Erlang Erlang/otp with a CVSS 3.x base score of 4.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1394.
Key facts
- Severity: Medium (CVSS 3.x base score 4.8)
- CVSS v4: 6.3
- EPSS exploit prediction: 0% (31st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-1394
- Affected product: Erlang Erlang/otp
- Published:
- Last modified:
Description
Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses. This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3. This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Frequently asked questions
- What is CVE-2026-54887?
- Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses. This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3. This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
- How severe is CVE-2026-54887?
- CVE-2026-54887 has a CVSS 3.x base score of 4.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2026-54887 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-54887?
- CVE-2026-54887 primarily affects Erlang Erlang/otp. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-54887?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-54887 published?
- CVE-2026-54887 was published on 2026-07-02 and last updated on 2026-07-07.
References
- https://cna.erlef.org/cves/CVE-2026-54887.html
- https://github.com/erlang/otp/commit/888e3bcd72d5406016b9e0de741026bc2a6f114d
- https://github.com/erlang/otp/security/advisories/GHSA-p2m2-3c2w-8jp8
- https://osv.dev/vulnerability/EEF-CVE-2026-54887
- https://www.erlang.org/doc/system/versions.html#order-of-versions
Affected products (2)
- cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
- cpe:2.3:a:erlang:erlang\/ssl:*:*:*:*:*:*:*:*
More vulnerabilities in Erlang Erlang/otp
- CVE-2025-32433 — Critical (CVSS 10.0): Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and…
- CVE-2026-28808 — Critical (CVSS 9.8): Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts…
- CVE-2022-37026 — Critical (CVSS 9.8): In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass…
- CVE-2016-10253 — Critical (CVSS 9.8): An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap…
- CVE-2026-23941 — Critical (CVSS 9.4): Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd…
- CVE-2026-49759 — High (CVSS 8.2): Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to…
All CVEs affecting Erlang Erlang/otp →
Other CWE-1394 vulnerabilities
- CVE-2025-41742 — Critical (CVSS 9.8): Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote…
- CVE-2024-48956 — Critical (CVSS 9.8): Serviceware Processes 6.0 through 7.3 before 7.4 allows attackers without valid authentication to send a specially…
- CVE-2025-41744 — Critical (CVSS 9.1): Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to…
- CVE-2025-55049 — Critical (CVSS 9.1): Use of Default Cryptographic Key (CWE-1394)
- CVE-2024-1275 — Critical (CVSS 9.1): Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow…
- CVE-2024-29037 — Critical (CVSS 9.1): datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster.…