Erlang OTP: Seven Vulnerabilities Disclosed, Including High-Severity Flaws

Key findings

• Seven vulnerabilities disclosed for Erlang OTP on June 10, 2026.
• High-severity flaws include a VM crash via SCTP ERROR chunk (CVE-2026-49759) and SSL authentication bypass (CVE-2026-48860).
• Buffer overflows in erl_interface (CVE-2026-49760) and erts (CVE-2026-49759) present significant risks.
• Vulnerabilities affect multiple components: erl_interface, erts, ssl, ssh, inets, and ftp.
• Issues include username enumeration via timing attacks (CVE-2026-48859) and SSRF (CVE-2026-48858).
• Sensitive data exposure is possible through HTTP redirects (CVE-2026-48856) and SFTP link handling (CVE-2026-48855).

Erlang OTP Faces Security Scrutiny with Seven New Vulnerabilities

On June 10, 2026, a batch of seven vulnerabilities affecting Erlang OTP was disclosed, impacting various components and ranging in severity from Low to High. These disclosures highlight potential weaknesses in core functionalities, including buffer overflows, authentication bypasses, and sensitive data exposure.

Stack-Based Buffer Overflows

Two critical vulnerabilities stem from stack-based buffer overflows. **CVE-2026-49760** (Medium) resides in the erl_interface component, specifically within the ei_s_print_term function in ei_printterm.c. This function uses a fixed 2000-character buffer on the stack, which can be overflowed. A more severe issue, **CVE-2026-49759** (High), is found in the erts (inet_drv) component. An unauthenticated remote attacker can exploit a flaw in the sctp_parse_error_chunk function within inet_drv.c by sending a crafted SCTP ERROR chunk, leading to a crash of the BEAM VM.

Authentication and Access Control Issues

Several vulnerabilities revolve around authentication and access control mechanisms. **CVE-2026-48860** (High) affects the ssl component (inet_tls_dist module) and allows an unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function incorrectly uses inet:sockname/1 instead of inet:peerna/1, undermining the intended IP-based authentication for Erlang distribution over TLS.

Furthermore, **CVE-2026-48859** (Medium) in the ssh component (ssh_auth, ssh_options modules) presents an observable timing discrepancy. This vulnerability allows for unauthenticated remote username enumeration via a timing side-channel during password authentication when the SSH daemon is configured with user-based password options. The ssh_auth:check_password/3 function's PBKDF2 implementation is implicated.

Sensitive Data Exposure and SSRF

Sensitive data exposure is another theme within this batch. **CVE-2026-48856** (High) in the inets component (httpc_response module) allows for the retrieval of embedded sensitive data. The httpc client forwards Authorization and Proxy-Authorization headers to redirect targets without verifying if the redirect crosses an origin boundary. Additionally, **CVE-2026-48855** (Low) in the ssh component (ssh_sftpd module) allows for file discovery. The SSH_FXP_READLINK handler sends raw results from file:read_link/2 without properly sanitizing paths, potentially exposing sensitive information.

Server-Side Request Forgery

**CVE-2026-48858** (Medium) in the ftp component (ftp_internal module) is a Server-Side Request Forgery (SSRF) vulnerability. It enables FTP bounce attacks and SSRF through an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 function's PASV handler extracts an IP address from the server's 227 response without proper validation, allowing an attacker to manipulate the FTP connection.

Vendor Response and Mitigation

Details regarding specific patches or affected versions were not immediately available at the time of disclosure. Users of Erlang OTP are advised to monitor official Erlang/OTP security advisories for updates and recommended mitigation strategies. Given the range of vulnerabilities, prompt patching and configuration review will be crucial for maintaining system security.