An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.
This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Project Subscriptions
No advisories yet.
Solution
No solution given by the vendor.
Workaround
* Disable session tickets on TLS 1.3 servers by setting session_tickets to disabled in the server's ssl options. * Restrict the server to TLS 1.2 by setting versions to ['tlsv1.2'] in the server's ssl options.
Thu, 02 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 02 Jul 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Erlang erlang/otp
Erlang otp |
|
| Vendors & Products |
Erlang erlang/otp
Erlang otp |
Thu, 02 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected. This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10. | |
| Title | TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension | |
| First Time appeared |
Erlang
Erlang erlang\/otp |
|
| Weaknesses | CWE-1284 | |
| CPEs | cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Erlang
Erlang erlang\/otp |
|
| References |
|
|
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-07-02T17:28:15.681Z
Reserved: 2026-06-17T17:55:15.686Z
Link: CVE-2026-55952
Updated: 2026-07-02T17:28:12.551Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T20:30:05Z