Main Vulnerability Database SB2026041020

SB2026041020 - Untrusted search path in otp

Published: April 10, 2026

Security Bulletin ID SB2026041020

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Untrusted search path (CVE-ID: CVE-2021-29221)

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to an untrusted search path in erlsrv.exe and the Erlang/OTP installation directory when adding files to an existing installation's directory on Windows with unsafe filesystem permissions. A remote attacker can add files to an existing installation's directory to escalate privileges.

User interaction is required, and the issue occurs only under specific conditions on Windows with unsafe filesystem permissions.

Remediation

Install update from vendor's website.

References

https://github.com/erlang/otp/security/advisories/GHSA-3rrc-f8wp-rx4j