SB2026071054 - Fedora 44 update for erlang
Published: July 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-48858)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform server-side request forgery against internal or third-party hosts.
The vulnerability exists due to improper control of a resource through its lifetime in ftp_internal:handle_command/3 when processing PASV responses in passive mode. A remote user can supply a crafted 227 response with an arbitrary IP address and port to perform server-side request forgery against internal or third-party hosts.
On affected operations, the client may read data from or send data to the redirected target instead of the FTP server. The issue affects the PASV path used with the default passive-mode configuration and does not affect the EPSV path.
2) Stack-based buffer overflow (CVE-ID: CVE-2026-49759)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in SCTP error cause parsing in inet_drv.c when processing a crafted SCTP ERROR chunk. A remote attacker can send a specially crafted SCTP ERROR chunk after establishing an SCTP association to cause a denial of service.
Systems are affected only when SCTP support is enabled, a listening SCTP socket is opened via gen_sctp with the default inet backend, and the listening port is reachable from the attacker's network.
3) Comparison using wrong factors (CVE-ID: CVE-2026-48860)
CWE-ID: CWE-1025 - Comparison using wrong factors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass LAN-based access restrictions for Erlang distribution over TLS.
The vulnerability exists due to comparison using wrong factors in check_ip/1 in lib/ssl/src/inet_tls_dist.erl when validating the peer address for TLS distribution connections. A remote user can present a valid certificate signed by a shared trusted CA to bypass LAN-based access restrictions for Erlang distribution over TLS.
Exploitation requires Erlang distribution to use TLS with the kernel check_ip setting enabled, and the TLS trust model must accept certificates from a CA that is not dedicated exclusively to cluster members.
4) Infinite loop (CVE-ID: CVE-2026-54886)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to an infinite loop in handle_data/4 in ssh_sftpd.erl when processing SSH_MSG_CHANNEL_EXTENDED_DATA on an established SFTP channel. A remote user can send a specially crafted extended data message to cause a denial of service.
The issue affects targeted SFTP channel processes, which become permanently unresponsive while continuing to consume CPU time and accumulate unbounded message queue memory. Opening many channels can amplify the impact.
CWE-ID: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject plaintext data into a TLS client application.
The vulnerability exists due to improper enforcement of message integrity during transmission in the (d)tls client handshake handling when a man-in-the-middle interferes before the handshake completes. A remote attacker can inject plaintext data before handshake completion to inject plaintext data into a TLS client application.
The injected data may be delivered to the client application after a successful handshake. The injection window is smaller for TLS 1.3 than for earlier TLS versions.
6) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-55952)
CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in input in the TLS-1.3 session ticket handler when processing a malformed ClientHello with mismatched PSK identity and binder list lengths. A remote attacker can send a specially crafted ClientHello message to cause a denial of service.
Only TLS-1.3 servers with session tickets enabled are vulnerable. TLS-1.2 connections are not affected.
Remediation
Install update from vendor's website.