CVE-2025-46712

Publication date 8 May 2025

Last updated 21 July 2025

Ubuntu priority

Cvss 3 Severity Score

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).

Why is this CVE low priority?

Per upstream advisory, this is a low severity CVE

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
erlang	25.04 plucky	Fixed 1:27.3+dfsg-1ubuntu1.2
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Fixed 1:25.3.2.8+dfsg-1ubuntu4.4
	22.04 LTS jammy	Fixed 1:24.2.1+dfsg-1ubuntu0.5
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
erlang	Upstream: e4b56a9 Upstream: 816b5f7 Upstream: bfe3869 Upstream: c0f7a86 Upstream: 558c52c Upstream: dc2223c

Severity score breakdown

Parameter	Value
Base score	3.7 · Low
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Related Ubuntu Security Notices (USN)

USN-7656-1
Erlang vulnerabilities
21 July 2025