CVE-2026-48859 SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh sshauth, sshoptions modules allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the userpasswords or password option, sshauth:checkpassword/3...

CVE-2026-48859

The CVE affects Erlang/OTP’s SSH server (ssh_auth and ssh_options) in OTP prior to 29.0.2 (SSH 6.0.x before 6.0.1). When the daemon uses user_passwords or password options, ssh_auth:check_password/3 performs PBKDF2-SHA256 with 600,000 iterations (~300 ms) for valid usernames, but returns in ~0 ms...

CVE-2019-19145

The CVE-2019-19145 entry affects Quantum SuperLoader 3 devices, specifically version V94.0 005E.0h, due to a hard-coded account with only 65,536 possible passwords, enabling unauthorized access as described in multiple connected sources. The reports describe the root cause as a hard-coded credent...

flaw in RH ``mkpasswd'' command

Hey, The mkpasswd password generator that ships in the expect'' package of at least RedHat 6.2 generates only a relatively small number 2^15 for the default password length of passwords. Presumably this is a result of trying to apply too many rules of what is a good'' password to the generation...