CVE-2025-48040

Publication date 11 September 2025

Last updated 21 October 2025

Ubuntu priority

Description

Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
erlang	25.10 questing	Fixed 1:27.3.4.1+dfsg-1ubuntu0.1
	25.04 plucky	Fixed 1:27.3+dfsg-1ubuntu1.3
	24.04 LTS noble	Fixed 1:25.3.2.8+dfsg-1ubuntu4.5
	22.04 LTS jammy	Fixed 1:24.2.1+dfsg-1ubuntu0.6
	20.04 LTS focal	Ignored changes too intrusive
	18.04 LTS bionic	Ignored changes too intrusive
	16.04 LTS xenial	Ignored changes too intrusive
	14.04 LTS trusty	Ignored changes too intrusive

Notes

hlibk

On focal and below, the security backports are risky and may introduce regressions.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
erlang	Upstream: 7cd7abb Upstream: 548f129 Upstream: https://github.com/erlang/otp/pull/10162

References

Related Ubuntu Security Notices (USN)

USN-7831-1
Erlang vulnerabilities
21 October 2025