Comparison using wrong factors in otp - CVE-2026-48860
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote user to bypass LAN-based access restrictions for Erlang distribution over TLS.
The vulnerability exists due to comparison using wrong factors in check_ip/1 in lib/ssl/src/inet_tls_dist.erl when validating the peer address for TLS distribution connections. A remote user can present a valid certificate signed by a shared trusted CA to bypass LAN-based access restrictions for Erlang distribution over TLS.
Exploitation requires Erlang distribution to use TLS with the kernel check_ip setting enabled, and the TLS trust model must accept certificates from a CA that is not dedicated exclusively to cluster members.