FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Erlang/OTP -- timing-based username enumeration in SSH password authentication

Affected packages
erlang-runtime29 < 29.0.2

Details

VuXML ID d87e7df5-64d4-11f1-ab11-4c526214c986
Discovery 2026-06-10
Entry 2026-06-10

https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4 reports:

A timing-based username enumeration vulnerability during password authentication with the user_passwords option has been fixed by performing a dummy PBKDF2 computation for invalid usernames, so authentication timing no longer reveals whether a username exists.

[source]

References

CVE Name CVE-2026-48859
URL https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.