Cyber Resilience

CVE-2026-55952

High

Published: 02 July 2026

Published
02 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55952 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Erlef (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record…

more

with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected. This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-12059Shared CWE-1284
CVE-2022-0214Shared CWE-1284
CVE-2022-25727Shared CWE-1284
CVE-2023-27941Shared CWE-1284
CVE-2022-25375Shared CWE-1284
CVE-2026-49078Shared CWE-1284
CVE-2026-40093Shared CWE-1284
CVE-2026-45441Shared CWE-1284
CVE-2022-0414Shared CWE-1284
CVE-2021-43267Shared CWE-1284

Affected Assets

Erlef
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References