CVE-2025-26618: 
CBL Mariner vulnerability analysis and mitigation

Erlang OTP (Open Telecom Platform) has been found to contain a vulnerability (CVE-2025-26618) related to improper SFTP packet size verification. The vulnerability affects OTP versions up to 27.2.3, 26.2.5.8, and 25.3.2.17. This issue was discovered and disclosed on February 20, 2025, affecting the SSH/SFTP implementation in the Erlang runtime system (GitHub Advisory).

The vulnerability stems from improper verification of SFTP packet sizes in the Erlang OTP library. When multiple SSH packets (conforming to max SSH packet size) are received, they might be combined into an SFTP packet that exceeds the maximum allowed packet size. The issue has been assigned a CVSS v4.0 base score of 7.0 (High) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H. The vulnerability is classified as CWE-789 (Memory Allocation with Excessive Size Value) (NVD).

The vulnerability can potentially cause large amounts of memory to be allocated, leading to resource consumption and possible denial of service conditions. This impact is limited to scenarios involving authenticated users who have completed the SSH handshake (GitHub Advisory).

The vulnerability has been patched in OTP versions 27.2.4, 26.2.5.9, and 25.3.2.18. Users are advised to upgrade to these patched versions as there are no known workarounds for this vulnerability (NVD).