CVE-2026-48859

Published: Giu 10, 2026 Last Modified: Giu 10, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,3
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.

When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.

The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.

This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.

This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0026
Percentile
0,5th
Updated

EPSS Score Trend (Last 4 Days)

208

Observable Timing Discrepancy

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control
Potential Impacts:
Read Application Data Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
View CWE Details
https://cna.erlef.org/cves/CVE-2026-48859.html
https://cna.erlef.org/cves/CVE-2026-48859.html
https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b…
https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf
https://github.com/erlang/otp/security/advisories/GHSA-3w6p…
https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4
https://osv.dev/vulnerability/EEF-CVE-2026-48859
https://osv.dev/vulnerability/EEF-CVE-2026-48859
https://www.erlang.org/doc/system/versions.html#order-of-ve…
https://www.erlang.org/doc/system/versions.html#order-of-versions