SB2026070296 - Multiple vulnerabilities in otp
Published: July 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2026-49760)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in ei_s_print_term when processing an encoded Erlang term containing a very large integer. A remote attacker can supply specially crafted term data to cause a denial of service.
The issue is limited to the memory-printing function and does not affect the related ei_print_term function that writes to a FILE.
2) Stack-based buffer overflow (CVE-ID: CVE-2026-49759)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in SCTP error cause parsing in inet_drv.c when processing a crafted SCTP ERROR chunk. A remote attacker can send a specially crafted SCTP ERROR chunk after establishing an SCTP association to cause a denial of service.
Systems are affected only when SCTP support is enabled, a listening SCTP socket is opened via gen_sctp with the default inet backend, and the listening port is reachable from the attacker's network.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-48858)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform server-side request forgery against internal or third-party hosts.
The vulnerability exists due to improper control of a resource through its lifetime in ftp_internal:handle_command/3 when processing PASV responses in passive mode. A remote user can supply a crafted 227 response with an arbitrary IP address and port to perform server-side request forgery against internal or third-party hosts.
On affected operations, the client may read data from or send data to the redirected target instead of the FTP server. The issue affects the PASV path used with the default passive-mode configuration and does not affect the EPSV path.
4) Comparison using wrong factors (CVE-ID: CVE-2026-48860)
CWE-ID: CWE-1025 - Comparison using wrong factors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass LAN-based access restrictions for Erlang distribution over TLS.
The vulnerability exists due to comparison using wrong factors in check_ip/1 in lib/ssl/src/inet_tls_dist.erl when validating the peer address for TLS distribution connections. A remote user can present a valid certificate signed by a shared trusted CA to bypass LAN-based access restrictions for Erlang distribution over TLS.
Exploitation requires Erlang distribution to use TLS with the kernel check_ip setting enabled, and the TLS trust model must accept certificates from a CA that is not dedicated exclusively to cluster members.
5) Open redirect (CVE-ID: CVE-2026-48856)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the httpc redirect handler in httpc_response.erl when processing cross-origin redirects. A remote attacker can cause a server contacted by the victim to return a crafted redirect to disclose sensitive information.
By default, automatic redirects are enabled. The issue affects both the Authorization and proxy-authorization headers, including Basic credentials derived from URL userinfo.
6) Information disclosure (CVE-ID: CVE-2026-48855)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the SSH_FXP_READLINK handler in ssh_sftpd when reading symlink targets. A remote user can create a symlink and read it back via SFTP to disclose sensitive information.
Only configurations that use the SFTP root option are affected. The issue discloses absolute backend filesystem paths for the configured SFTP root directory and symlink targets within it, but does not by itself provide file contents or access outside the configured root.
7) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-48859)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to enumerate valid usernames.
The vulnerability exists due to observable timing discrepancy in ssh_auth:check_password/3 when processing SSH password authentication with the user_passwords option. A remote attacker can send a password authentication attempt to enumerate valid usernames.
Only systems using the user_passwords or password option for SSH daemon password authentication are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j
- https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97
- https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq
- https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv
- https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh
- https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh
- https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4