CVE-2026-55950: Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sess
Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.
A DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux's internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker's.
The attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.
This vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.
This issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-55950
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-559500.38% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 30% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55950 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- medium[NEW] [medium] Erlang/OTP: Multiple vulnerabilitiescert-bund
Recent advisories for Time-of-check Time-of-use
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-21046: Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Rel…nvd · 2026-07-10
- highCVE-2026-58299: Time-of-check time-of-use (toctou) race condition in Microsoft Edge for Android allows an unau…nvd · 2026-07-03
- highCVE-2026-24260: NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a ti…nvd · 2026-07-01
- unknownCVE-2026-12374: Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the…nvd · 2026-07-01
- mediumCVE-2026-14160: Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargo…nvd · 2026-06-30
- mediumCVE-2026-54370: acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulne…nvd · 2026-06-29
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11