SB2026071054 - Fedora 44 update for erlang



SB2026071054 - Fedora 44 update for erlang

Published: July 10, 2026

Security Bulletin ID SB2026071054
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-48858)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform server-side request forgery against internal or third-party hosts.

The vulnerability exists due to improper control of a resource through its lifetime in ftp_internal:handle_command/3 when processing PASV responses in passive mode. A remote user can supply a crafted 227 response with an arbitrary IP address and port to perform server-side request forgery against internal or third-party hosts.

On affected operations, the client may read data from or send data to the redirected target instead of the FTP server. The issue affects the PASV path used with the default passive-mode configuration and does not affect the EPSV path.


2) Stack-based buffer overflow (CVE-ID: CVE-2026-49759)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in SCTP error cause parsing in inet_drv.c when processing a crafted SCTP ERROR chunk. A remote attacker can send a specially crafted SCTP ERROR chunk after establishing an SCTP association to cause a denial of service.

Systems are affected only when SCTP support is enabled, a listening SCTP socket is opened via gen_sctp with the default inet backend, and the listening port is reachable from the attacker's network.


3) Comparison using wrong factors (CVE-ID: CVE-2026-48860)

CWE-ID: CWE-1025 - Comparison using wrong factors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass LAN-based access restrictions for Erlang distribution over TLS.

The vulnerability exists due to comparison using wrong factors in check_ip/1 in lib/ssl/src/inet_tls_dist.erl when validating the peer address for TLS distribution connections. A remote user can present a valid certificate signed by a shared trusted CA to bypass LAN-based access restrictions for Erlang distribution over TLS.

Exploitation requires Erlang distribution to use TLS with the kernel check_ip setting enabled, and the TLS trust model must accept certificates from a CA that is not dedicated exclusively to cluster members.


4) Infinite loop (CVE-ID: CVE-2026-54886)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to an infinite loop in handle_data/4 in ssh_sftpd.erl when processing SSH_MSG_CHANNEL_EXTENDED_DATA on an established SFTP channel. A remote user can send a specially crafted extended data message to cause a denial of service.

The issue affects targeted SFTP channel processes, which become permanently unresponsive while continuing to consume CPU time and accumulate unbounded message queue memory. Opening many channels can amplify the impact.


5) Improper Enforcement of Message Integrity During Transmission in a Communication Channel (CVE-ID: CVE-2026-54891)

CWE-ID: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject plaintext data into a TLS client application.

The vulnerability exists due to improper enforcement of message integrity during transmission in the (d)tls client handshake handling when a man-in-the-middle interferes before the handshake completes. A remote attacker can inject plaintext data before handshake completion to inject plaintext data into a TLS client application.

The injected data may be delivered to the client application after a successful handshake. The injection window is smaller for TLS 1.3 than for earlier TLS versions.


6) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-55952)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in input in the TLS-1.3 session ticket handler when processing a malformed ClientHello with mismatched PSK identity and binder list lengths. A remote attacker can send a specially crafted ClientHello message to cause a denial of service.

Only TLS-1.3 servers with session tickets enabled are vulnerable. TLS-1.2 connections are not affected.


Remediation

Install update from vendor's website.