Main Vulnerability Database Vulnerabilities #VU125771

Untrusted search path in otp - CVE-2021-29221

Published: April 10, 2026

Vulnerability identifier: #VU125771

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-29221

CWE-ID: CWE-426

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: erlang

Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to an untrusted search path in erlsrv.exe and the Erlang/OTP installation directory when adding files to an existing installation's directory on Windows with unsafe filesystem permissions. A remote attacker can add files to an existing installation's directory to escalate privileges.

User interaction is required, and the issue occurs only under specific conditions on Windows with unsafe filesystem permissions.

How to mitigate CVE-2021-29221

Install security update from vendor's website.

Sources

https://github.com/erlang/otp/security/advisories/GHSA-3rrc-f8wp-rx4j

Untrusted search path in otp - CVE-2021-29221

Detailed vulnerability description

How to mitigate CVE-2021-29221

Sources

Please verify you're human