Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Conclusion & alert: CVE-2025-30211 is rated Moderate Risk (40.5/100): CVSS High severity, with low exploitation likelihood (EPSS 0.38%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.15% | 0.38% | +0.23% |
| 2 | 2026-05-06 | 0.46% | 0.15% | -0.31% |
| 3 | 2026-01-22 | — | 0.46% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-30211 not yet assigned priority: Debian including 1 source packages (erlang), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2025-30211 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-30211 |
suse
|
high | CVE-2025-30211 severity important: SUSE including 42 source package names (erlang, erlang-22.2.7-150200.3.13.1, …), 79 product×package rows across 19 product lines (SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, … (19 product lines)): Known Not Affected 53, Fixed 26. | https://www.suse.com/security/cve/CVE-2025-30211/ |
ubuntu
|
medium | CVE-2025-30211 medium priority: Ubuntu including 1 source packages (erlang), 10 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): released 7, needs-triage 3. | https://ubuntu.com/security/CVE-2025-30211 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||