Cyber Resilience

CVE-2025-30211

High

Published: 28 March 2025

Published
28 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0015 35.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30211 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-30211 is a vulnerability in Erlang/OTP, a set of libraries for the Erlang programming language, affecting versions prior to OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19. The issue stems from the SSH implementation's failure to verify RFC-specified limits on algorithm names, which are restricted to 64 characters in KEX init messages. A maliciously formed KEX init message with oversized algorithm names triggers inefficient error processing, leading to excessive memory allocation and potential high memory usage.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can send a specially crafted KEX init packet to an affected Erlang/OTP SSH server, causing significant memory consumption and potential denial-of-service through resource exhaustion.

Patched versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 address the issue by enforcing the algorithm name length limits. Advisories recommend upgrading to these versions; workarounds include setting the `parallel_login` option to `false` and/or reducing the `max_sessions` option to limit exposure. Further details are available in the Erlang/OTP GitHub security advisory (GHSA-vvr3-fjhh-cfwc) and Debian LTS announcement.

EU & UK References

Vulnerability details

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names…

more

(64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability allows remote unauthenticated attackers to send crafted SSH KEX init messages with oversized algorithm names, triggering excessive memory allocation and resource exhaustion on the SSH server, directly mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20048Shared CWE-789
CVE-2026-44375Shared CWE-789
CVE-2026-22026Shared CWE-789
CVE-2026-33524Shared CWE-789
CVE-2026-9538Shared CWE-789
CVE-2026-28253Shared CWE-789
CVE-2026-24158Shared CWE-789
CVE-2026-39312Shared CWE-789
CVE-2026-8485Shared CWE-789
CVE-2024-52791Shared CWE-789

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of algorithm name lengths in SSH KEX init messages to RFC limits of 64 characters, directly preventing excessive memory allocation from malformed inputs.

prevent

Implements denial-of-service protections such as rate limiting and resource quotas for SSH connections to mitigate remote memory exhaustion attacks.

prevent

Requires timely flaw remediation through patching to versions like OTP-27.3.1 that enforce algorithm name length checks in the SSH implementation.

References