Comparison using wrong factors in otp - CVE-2026-48860

 

Comparison using wrong factors in otp - CVE-2026-48860

Published: July 2, 2026


Vulnerability identifier: #VU136819
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-48860
CWE-ID: CWE-1025
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: erlang
Affected software:
otp

Detailed vulnerability description

The vulnerability allows a remote user to bypass LAN-based access restrictions for Erlang distribution over TLS.

The vulnerability exists due to comparison using wrong factors in check_ip/1 in lib/ssl/src/inet_tls_dist.erl when validating the peer address for TLS distribution connections. A remote user can present a valid certificate signed by a shared trusted CA to bypass LAN-based access restrictions for Erlang distribution over TLS.

Exploitation requires Erlang distribution to use TLS with the kernel check_ip setting enabled, and the TLS trust model must accept certificates from a CA that is not dedicated exclusively to cluster members.


How to mitigate CVE-2026-48860

Install security update from vendor's website.

Sources